Loading...
WebShield Audit
High severity
Mixed Content (Insecure Resources)
Mixed Content occurs when an HTTPS page loads resources (images, scripts, styles) over insecure HTTP.
Business risk
1. **Security**: An attacker can modify "passive mixed content" (images) to deface your site, or "active mixed content" (scripts) to fully hijack the session. 2. **UX**: Chrome and Firefox block active mixed content by default, breaking your specific features. Passive content triggers a "Not Secure" warning in the URL bar.
Technical details
Browsers are increasingly aggressive. `block-all-mixed-content` in your CSP directive is a good safety net. The `upgrade-insecure-requests` directive is a powerful quick fix: it tells the browser to automatically rewrite all `http://` requests to `https://` before sending them.
How to detect it
Mixed content shows up in the browser devtools console (look for "Mixed Content" warnings) and in the page source as literal `http://` URLs. For server-rendered pages, a recursive grep over your source catches most of them before they ship.
Find hardcoded http URLs in source
grep -rE "\bhttp://[^\s"']+" ./src --include="*.{ts,tsx,js,jsx,html,vue,svelte}"Report what the live page requests
curl -s https://yourdomain.com | grep -oE "http://[^\s"']+" | sort -uCollect browser reports
Content-Security-Policy: upgrade-insecure-requests; report-to mixed-contentCommon pitfalls
- Only fixing hardcoded URLs in templates. Dynamic JavaScript that builds `http://` URLs from config or environment variables slips past grep - log fetch/XHR URLs in dev to catch them.
- Relying on `upgrade-insecure-requests` alone. It only upgrades requests to the same host or known-HTTPS hosts; a third-party CDN that does not support HTTPS still fails. Replace those resources.
- Forgetting WebSocket URLs. `ws://` is also mixed content - switch to `wss://`.
- Leaving `http://` in hero videos, HLS manifests, or CSS `url()` backgrounds. These passive loads still produce a "Not Secure" state in some browsers and break on Chrome Android.
- Using the `<meta http-equiv>` variant on pages that need strict header-only directives. Prefer the HTTP header so it applies across all responses.
Remediation guide
External references
Frequently asked questions
upgrade-insecure-requests vs block-all-mixed-content?
`upgrade-insecure-requests` rewrites `http://` to `https://` at request time. `block-all-mixed-content` blocks them outright. Use upgrade first because it preserves functionality; use block for the strictest sites where any cleartext request is unacceptable.
What is passive vs active mixed content?
Passive mixed content is images, audio, and video loaded over HTTP. It downgrades the security indicator but is usually still displayed. Active mixed content is scripts, stylesheets, and iframes - those are blocked outright by modern browsers because they can execute code on your page.
My CDN offers HTTPS but some old URLs still use http://. What do I do?
Rewrite them. CSP `upgrade-insecure-requests` is a safety net, not a fix. Search your codebase for `http://` in template strings, config files, and database content (CMS posts are a common miss) and switch everything to `https://`.
Keep going
Related guide
Missing HTTP Strict Transport Security (HSTS)
High severity · Transport
Related guide
Missing Content Security Policy (CSP)
High severity · Content
Related guide
Weak TLS Protocols Enabled (TLS 1.0 / 1.1)
High severity · Transport
Deep guide
HSTS: A Complete, Rollback-Safe Setup Guide
The max-age ramp, subdomain audit and preload submission - in the order they won't burn you.
Free tool
HSTS Preload Checker
Test HSTS before you preload - because you only get to do it wrong once.
Verify your fix
Applied the configuration change? Run a live scan to confirm the vulnerability is patched.