How to fix mixed content (HTTP on HTTPS pages)
Quick fix guide with step-by-step instructions. Barrion detects this finding in your scans; use this page to remediate it.
What it is
Mixed content occurs when a page is loaded over HTTPS but requests resources (scripts, images, styles, iframes) over HTTP. Browsers block active mixed content (scripts) and may warn or block passive mixed content (images) depending on the browser.
Why it matters
Mixed content weakens HTTPS: an attacker on the network can replace or tamper with HTTP resources. Scripts loaded over HTTP can be modified to steal data or hijack the session. Fixing mixed content is required for a fully secure HTTPS site.
How to fix it
- 1
Find mixed content
Use the browser dev tools Console (look for mixed content warnings) or run Barrion's mixed content check. Note which URLs are requested over HTTP.
- 2
Update URLs to HTTPS or relative
Change all resource URLs from http:// to https:// or use protocol-relative URLs (//) or relative paths so they use the same scheme as the page.
- 3
Fix hardcoded or CMS content
Check templates, CMS content, and third-party embeds. Replace http:// with https:// for images, scripts, styles, and iframes.
- 4
Redeploy and re-scan
Deploy changes and run the mixed content check again to confirm no HTTP resources remain on your HTTPS pages.
Check your site
Run Barrion's free tls / https check to see if this finding applies to your app and get a full report.
Run free check →
