security
How to fix: Mixed-content avoidance
OWASP A02
Why this matters
A single http:// image, script, or stylesheet on an https:// page breaks the TLS guarantee — that resource can be modified in transit, and modern browsers block or flag the page.
Background
An HTTPS page that loads scripts, images, or stylesheets over plain HTTP — the page lock is a lie. Modern browsers block active mixed content (scripts/styles) entirely and degrade passive (images) trust signals. The CSP directive upgrade-insecure-requests rewrites http:// subresource URLs to https:// on the fly, useful during migration.
References
MDN: Mixed Content · CSP upgrade-insecure-requests
How to fix
Code snippet for each stack we cover. Pick the one matching your server / framework.
nginx
Add to CSP: upgrade-insecure-requests;
apache
Same — append to Content-Security-Policy header.
cloudflare
Speed → Optimization → Automatic HTTPS Rewrites = ON.
wordpress
Really Simple SSL plugin includes a mixed-content scanner; OR find/replace http://yourdomain.com → https://yourdomain.com in wp_options + post content.
flask
Add upgrade-insecure-requests to your CSP; audit templates for hard-coded http:// URLs.
express
Add upgrade-insecure-requests directive in helmet config; review hard-coded asset URLs.
rails
Same — content_security_policy { |p| p.upgrade_insecure_requests true }
Verify it's working
Open the page in Chrome DevTools → Issues panel. Mixed content shows under 'Mixed Content'.
Want to know if your site has this issue?
Run a free 53-check audit — security, GDPR, NIS2, and technical SEO.
Audit my site →