Mixed Content Checker
Detects HTTP resources on HTTPS pages and CSP upgrade directive
How it works
Detects HTTP resources loaded on HTTPS pages and checks for Content Security Policy upgrade-insecure-requests directive to prevent mixed content vulnerabilities.
What this checker validates
What This Checker Validates
This checker crawls your HTTPS landing pages to identify mixed content vulnerabilities by:
Network Monitoring
Monitors all network requests during page load
Detects any HTTP:// URLs being requested from HTTPS pages
Captures resource types (images, scripts, stylesheets, etc.)
DOM Analysis
Scans HTML elements for HTTP URLs in src/href attributes:
Output Documentation
Checker Output Documentation
| Output | Condition | Description | Action Required |
|---|---|---|---|
| β SUCCESS | No mixed content found | All resources (images, scripts, stylesheets, etc.) are loaded over HTTPS or use relative URLs | β No action needed - your site is secure |
| β οΈ WARNING | Mixed content found + CSP upgrade directive | HTTP resources detected, but Content-Security-Policy: upgrade-insecure-requests header is present | π Monitor: CSP will auto-upgrade HTTP to HTTPS, but consider updating URLs to HTTPS directly |
| β FAIL | Mixed content found + no CSP protection | HTTP resources detected without CSP upgrade-insecure-requests directive | π¨ Fix Required: Update all HTTP URLs to HTTPS or add CSP upgrade directive |
Test Logic
Page Load: Navigate to HTTPS page with network monitoring
Resource Detection: Capture all HTTP requests and scan DOM for HTTP URLs
CSP Analysis: Check response headers and meta tags for
upgrade-insecure-requestsResult Determination:
No HTTP resources β SUCCESS
HTTP resources + CSP upgrade β WARNING
HTTP resources + no CSP β FAIL
Risks and Considerations
Security Risks of Mixed Content
High Risk - Active Mixed Content
JavaScript over HTTP: Can be modified by attackers to inject malicious code
Stylesheets over HTTP: Can be manipulated to hide content or create fake interfaces
Iframes over HTTP: Can load malicious content in trusted context
Medium Risk - Passive Mixed Content
Images over HTTP: Can be replaced with malicious content or tracking pixels
Audio/Video over HTTP: Can be replaced with inappropriate content
Business Impact
Browser Warnings: Modern browsers show "Not Secure" warnings
SEO Penalties: Search engines may downrank sites with security issues
User Trust: Visitors may leave due to security warnings
Compliance: May violate security standards and regulations
Data Interception: HTTP resources can be intercepted and modified by attackers
Ready to start auditing?
Add this checker to your monitoring setup and start identifying issues on your websites today.