Mixed Content Warnings: Find and Fix Insecure Resources

Stop letting mixed content warnings tank your user trust and SEO. This guide provides a comprehensive mixed content fix, showing you how to find and eradicate every insecure resource on your site.

What is Mixed Content? (And Why Browsers Despise It)

You’ve done the hard work. You migrated your entire site to HTTPS, set up 301 redirects, and submitted your new sitemap. You see the comforting padlock icon, and then, on some random page, it vanishes, replaced by a jarring ‘Not Secure’ warning. This is the infuriating work of mixed content.

Mixed content occurs when an initial HTML document is loaded securely over HTTPS, but other resources—like images, scripts, or stylesheets—are loaded insecurely over HTTP. The ‘mix’ of secure and insecure content creates a vulnerability, effectively punching a hole in the security of the page.

Browsers, quite rightly, despise this. They will either flag the page as insecure, eroding user trust, or worse, outright block the insecure resources, breaking your page’s functionality and appearance. A proper website security posture demands a zero-tolerance policy for this nonsense.

Active vs. Passive: Not All Mixed Content is Created Equal

To effectively tackle a mixed content fix, you need to understand the two categories of insecure resources. Browsers treat them very differently, and you should prioritize your fixes accordingly.

The distinction comes down to how much damage the resource could do if it were compromised by a man-in-the-middle attack.

• Passive Mixed Content: This refers to content that can’t significantly alter the page’s DOM. Think images (``), video (`
• Active Mixed Content: This is the truly dangerous stuff. It’s content that can interact with and modify your page, like scripts (“), stylesheets (“), iframes (“), and fetch requests. An attacker could intercept these resources to steal data, install malware, or deface your site. Modern browsers block active mixed content by default, which means your site will simply break.

The Hunt: A Scalable Plan to Find Mixed Content

You can’t fix what you can’t find. While you could manually check pages using browser DevTools and wait for the console to scream at you, that’s laughably inefficient for any site larger than a single page. You need a crawler.

A systematic audit requires a tool that can crawl every single URL and inspect the resources it loads. This is the only reliable way to find mixed content at scale and ensure nothing slips through the cracks.

This is where ScreamingCAT shines. Our crawler, built in Rust, is designed for speed and efficiency. You can configure it to crawl your site and it will generate a dedicated report listing every single page that loads an insecure resource, along with the URL of the insecure resource itself. If you’re new to this, check out our getting started guide.

Simply point ScreamingCAT at your HTTPS root domain, run the crawl, and navigate to the ‘Insecure Content’ report. Your entire to-do list will be waiting for you, neatly organized.

Your Step-by-Step Guide to a Comprehensive Mixed Content Fix

With your crawl report in hand, it’s time to execute the fix. This process is less about technical wizardry and more about methodical, systematic remediation. Don’t skip steps.

1. Analyze and Prioritize: Open your exported list of insecure resources. First, sort by content type to identify any active mixed content (scripts, CSS, iframes). These are your top priority because they are actively being blocked by browsers and breaking your site. Fix these immediately.

2. Locate the Source: For each insecure URL, identify where it’s being called from. Is it hardcoded in a PHP template? Is it embedded in a post from your WYSIWYG editor? Is it being dynamically inserted by a third-party JavaScript file? The ‘In-Links’ tab in your crawler report will show you exactly which page contains the offending code.

3. Implement the Fix: The simplest fix is to change the resource’s URL from `http://` to `https://`. Before you do, copy the HTTPS version of the URL and paste it into your browser to confirm that it actually loads securely. If it doesn’t, you can’t just swap the protocol. You’ll need to either find an alternative resource or host it on your own secure server.

4. Recrawl to Verify: Once you’ve deployed your fixes, run the crawl again. Your goal is an empty ‘Insecure Content’ report. Don’t assume your fixes worked; verify them.

Advanced Mixed Content Fix: The Content Security Policy (CSP) Backstop

Fixing every hardcoded link is the correct solution. But for large, complex sites with legacy code or user-generated content, a safety net is invaluable. That safety net is a Content Security Policy (CSP).

A CSP is an HTTP response header that tells the browser which resources are allowed to be loaded on a page. It’s a powerful tool for locking down your site against various attacks, including XSS and data injection. For our purposes, one directive is particularly useful: `upgrade-insecure-requests`.

This directive instructs the browser to automatically treat all of a site’s insecure URLs (those served over HTTP) as though they have been replaced with secure URLs (served over HTTPS). The browser will make a request for the HTTPS version before ever attempting the HTTP one.

You can implement it by adding the following HTTP header to your server’s response:

Content-Security-Policy: upgrade-insecure-requests;

Think of CSP as a seatbelt. It can save you in a crash, but it’s not a substitute for learning how to drive properly. Fix the root cause first, then add CSP as an extra layer of protection.

A Pragmatic SEO

Preventing a Relapse: How to Keep Your Site Secure

A one-time mixed content fix is a great start, but the web is dynamic. New code gets deployed, third-party plugins get updated, and content editors add new images. Insecurity can creep back in without a process.

Your best defense is ongoing monitoring. Integrate a site crawl into your regular maintenance schedule. Set up ScreamingCAT to run automatically once a month and alert you if the ‘Insecure Content’ report is no longer empty. This is a crucial part of any technical SEO audit checklist.

You can also use the `Content-Security-Policy-Report-Only` header. This allows you to receive reports on potential CSP violations without actually enforcing the policy. It’s an excellent way to discover new mixed content issues in a production environment before they cause problems for your users.

Ultimately, the best prevention is education. Ensure your developers and content teams understand what mixed content is and why it’s critical to always use HTTPS URLs for all resources. A good mixed content fix is one you only have to do once.