HomeFix guides → Mixed-content avoidance

security

How to fix: Mixed-content avoidance

OWASP A02

Why this matters

A single http:// image, script, or stylesheet on an https:// page breaks the TLS guarantee — that resource can be modified in transit, and modern browsers block or flag the page.

Background

An HTTPS page that loads scripts, images, or stylesheets over plain HTTP — the page lock is a lie. Modern browsers block active mixed content (scripts/styles) entirely and degrade passive (images) trust signals. The CSP directive upgrade-insecure-requests rewrites http:// subresource URLs to https:// on the fly, useful during migration.

References

MDN: Mixed Content · CSP upgrade-insecure-requests

How to fix

Code snippet for each stack we cover. Pick the one matching your server / framework.

nginx
Add to CSP: upgrade-insecure-requests;
apache
Same — append to Content-Security-Policy header.
cloudflare
Speed → Optimization → Automatic HTTPS Rewrites = ON.
wordpress
Really Simple SSL plugin includes a mixed-content scanner; OR find/replace http://yourdomain.com → https://yourdomain.com in wp_options + post content.
flask
Add upgrade-insecure-requests to your CSP; audit templates for hard-coded http:// URLs.
express
Add upgrade-insecure-requests directive in helmet config; review hard-coded asset URLs.
rails
Same — content_security_policy { |p| p.upgrade_insecure_requests true }

Verify it's working

Open the page in Chrome DevTools → Issues panel. Mixed content shows under 'Mixed Content'.

Want to know if your site has this issue?

Run a free 53-check audit — security, GDPR, NIS2, and technical SEO.

Audit my site →