What it is
Mixed content occurs when a page is loaded over HTTPS but requests resources (scripts, images, styles, iframes) over HTTP. Browsers block active mixed content (scripts) and may warn or block passive mixed content (images) depending on the browser.
Why it matters
Mixed content weakens HTTPS: an attacker on the network can replace or tamper with HTTP resources. Scripts loaded over HTTP can be modified to steal data or hijack the session. Fixing mixed content is required for a fully secure HTTPS site.
How it is exploited
Your HTTPS page pulls a tracking script from http://cdn.example/track.js. An attacker on the cafe Wi-Fi intercepts that plain HTTP request and returns their own JavaScript instead. The script now runs in the context of your HTTPS origin and can read the DOM, the auth cookie that lacks HttpOnly, and any form the user fills in.
How to fix it
- Find mixed content. Use the browser dev tools Console (look for mixed content warnings) or run Barrion's mixed content check. Note which URLs are requested over HTTP.
- Update URLs to HTTPS or relative. Change all resource URLs from http:// to https:// or use protocol-relative URLs (//) or relative paths so they use the same scheme as the page.
- Fix hardcoded or CMS content. Check templates, CMS content, and third-party embeds. Replace http:// with https:// for images, scripts, styles, and iframes.
- Redeploy and re-scan. Deploy changes and run the mixed content check again to confirm no HTTP resources remain on your HTTPS pages.
How to verify the fix
Check the browser for mixed content warnings on the live page:
Open DevTools Console on the HTTPS page and look for 'Mixed Content' warningsSearch the source tree for any remaining http:// references:
grep -RIn "http://" public/ src/