You migrated to HTTPS years ago. Your certificate is valid, your redirects are in place, and the padlock shows up in the address bar. Then one day a customer mentions they saw a "Not Secure" warning on your checkout page. You check and sure enough, there's a single image loaded over http:// buried in a product description someone wrote in 2019.
Mixed content is one of those problems that should be extinct by now. Every major browser blocks active mixed content (scripts, stylesheets, iframes loaded over HTTP on an HTTPS page) by default. But passive mixed content, things like images and videos, often still loads with just a console warning that nobody sees until a customer does.
Active vs. passive: the difference matters
Active mixed content is the serious kind. If a script loads over HTTP on your HTTPS page, a man-in-the-middle attacker could modify that script in transit and inject malicious code. Browsers have blocked this by default since Chrome 79 (December 2019) and Firefox 72 (January 2020). If you have active mixed content, your page is already broken. The script simply doesn't load.
Passive mixed content is what most sites still carry. Images, audio, and video loaded over HTTP on HTTPS pages. Browsers will load them but may show a degraded security indicator. Chrome removed the padlock icon entirely in September 2023 and replaced it with a tune icon, partly because mixed content made the padlock unreliable as a trust signal.
The real risk with passive mixed content isn't the browser warning. It's the signal it sends to automated scanners, security audits, and search engines. Google's Page Experience signals include HTTPS as a ranking factor, and mixed content undermines it.
Where mixed content hides
The obvious places are easy to check. Your templates, your CSS, your navigation images. But mixed content tends to hide in places people forget to audit:
CMS content fields. Blog posts written years ago with hardcoded image URLs. Product descriptions with vendor-provided images pasted in as absolute HTTP URLs. User-submitted content in forums or comment sections.
Third-party embeds. An embedded map, a chat widget, or a social media feed that loads its assets over HTTP. You don't control their code, but their mixed content appears on your page.
Inline styles. A background-image: url(http://...) in an inline style attribute is mixed content that grep won't find unless you're looking for it specifically.
Dynamically loaded content. JavaScript that constructs image URLs at runtime. The HTML source looks clean, but the rendered page loads HTTP resources.
What the audit finds
The Mixed Content Audit fetches your page and inspects every resource reference in the HTML. It categorizes each finding as active or passive, shows the exact element and URL, and flags the severity.
For active mixed content, these are critical findings because the resources are already blocked by browsers. Your site is broken and you may not know it because you've been visiting it on a cached version.
For passive mixed content, these are warnings because the resources still load but degrade your security posture. The fix is usually as simple as changing http:// to https:// or re-uploading the asset to your own server.
The tool also checks for protocol-relative URLs (//example.com/image.jpg), which used to be the recommended fix for mixed content back when some sites still needed HTTP support. Protocol-relative URLs work but are considered an anti-pattern now that HTTPS is universal. The clean fix is just using https:// explicitly.
If you're running a small business site and this kind of technical debt keeps piling up, The $20 Dollar Agency ($9.99 on Kindle) covers how to build a maintenance workflow that catches these problems before customers do.
Fact-check notes and sources
- Chrome 79 (December 2019) began blocking active mixed content. Source: Chromium blog, "No More Mixed Messages About HTTPS."
- Chrome 86 (October 2020) began auto-upgrading mixed images to HTTPS. Source: Chromium blog.
- Chrome removed the padlock icon in Chrome 117 (September 2023), replacing it with a "tune" icon. Source: Google Security Blog.
- Google's Page Experience signals include HTTPS as a ranking consideration. Source: Google Search Central documentation.
Related reading
- Modern security headers — HSTS and other headers that prevent downgrade attacks
- CSP strictness audit — controlling what resources can load on your pages
- SSL grade audit — the full certificate and protocol picture
- Universal file exposure — other security gaps hiding in plain sight
This post is informational, not security-consulting advice. Mentions of Chrome, Firefox, Google, and other third parties are nominative fair use. No affiliation is implied.
