Mixed Content — HTTP Resources Loading on HTTPS Pages

TL;DR: Images, scripts, or stylesheets are loading over HTTP on your HTTPS pages, causing browser warnings and breaking page functionality.

Chrome now automatically blocks mixed content on HTTPS pages — meaning HTTP-loaded scripts and resources simply won't work (Chrome Security, 2024). This breaks page functionality silently: images disappear, styles fail to load, and interactive features stop working. Your users see a degraded experience without understanding why, and search engines flag it as a sign of poor maintenance.

What Scavo checks (plain English)

Scavo scans many common resource paths inside the page snapshot, including:

• Scripts, stylesheets, images, media sources, iframes
• Form actions
• srcset entries
• Inline/style-block url(...) CSS references

How Scavo scores this check

Result behavior:

• Pass: no http:// resource references found
• Fail: one or more HTTP resources found on HTTPS page
• Info: scanned page itself is HTTP (mixed-content check not applicable yet)

In your scan report, this appears under What failed / What needs attention / What is working for mixed_content, followed by Recommended next steps and Technical evidence (for developers) when needed.

• Scan key: mixed_content
• Category: SECURITY

Why fixing this matters

Mixed content weakens transport guarantees and can break page functionality when browsers block insecure resources. Even a single legacy URL can cause visual or interactive regressions.

It also damages trust signals for prospects and security reviewers who expect consistent HTTPS across all assets.

Common reasons this check fails

• Hardcoded http:// URLs in templates or old CMS fields.
• Legacy image/CDN links copied from previous environments.
• Inline CSS background URLs not updated to HTTPS.
• Third-party embed snippets pasted without protocol update.

If you are not technical

1. Ask your team for a list of exact HTTP resource URLs found.
2. Prioritize fixes on critical pages first (home/pricing/signup).
3. Ensure editors know to avoid hardcoded http:// links.
4. Re-scan and verify mixed-resource count reaches zero.

Scavo flagged Mixed Content (mixed_content). Please replace all HTTP resource references on HTTPS pages with HTTPS (or protocol-safe alternatives), including srcset and CSS url() paths.

If you are technical

1. Search templates/content for http:// asset references.
2. Update to HTTPS URLs or safe relative/protocol-appropriate paths.
3. Audit embedded third-party widgets/snippets for insecure references.
4. Enforce HTTPS rewrite/canonicalization in content pipelines.
5. Add automated tests to block new http:// asset regressions.

How to verify

• Inspect source for http:// resource links.
• Test page in browser console for mixed-content warnings.
• Validate key pages and template variants.
• Re-run Scavo and confirm no mixed resources remain.

What this scan cannot confirm

• It does not verify every dynamically injected runtime URL.
• It does not test off-page assets that load conditionally post-interaction.
• It evaluates URLs in the observed HTML snapshot.

Owner checklist

• [ ] Assign owner for HTTPS-only asset policy.
• [ ] Add CI/content-lint checks for http:// resource references.
• [ ] Audit rich-text/CMS fields that allow arbitrary embeds.
• [ ] Revalidate after CDN/domain migrations.

FAQ

Is one mixed image really a big issue?

It can still trigger warnings and broken content behavior; treat all mixed references as cleanup targets.

Can protocol-relative URLs solve this?

They can in some setups, but explicit HTTPS is usually clearer and safer.

Why does this return info on HTTP pages?

Because mixed-content logic applies once the page itself is served over HTTPS.

What should we fix first?

Start with scripts/forms/iframes, then images/media and CSS background URLs.

Sources

• MDN: Mixed content
• W3C Mixed Content specification
• OWASP Transport Layer Security Cheat Sheet

Need a regex/lint policy to block insecure asset URLs before publish? Send support your template/CMS setup.