Mixed Content (Insecure Resources)

Mixed Content occurs when an HTTPS page loads resources (images, scripts, styles) over insecure HTTP.

Business Risk

1. **Security**: An attacker can modify "passive mixed content" (images) to deface your site, or "active mixed content" (scripts) to fully hijack the session. 2. **UX**: Chrome and Firefox block active mixed content by default, breaking your specific features. Passive content triggers a "Not Secure" warning in the URL bar.

Technical Details

Browsers are increasingly aggressive. `block-all-mixed-content` in your CSP directive is a good safety net. The `upgrade-insecure-requests` directive is a powerful quick fix: it tells the browser to automatically rewrite all `http://` requests to `https://` before sending them.

Remediation Guide

Add this meta tag to your `<head>` to force an upgrade.

<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">

html

External References

↗ MDN: Mixed Content

Verify Your Fix

Applied the configuration change? Run a live scan to confirm the vulnerability is patched.