You’ve installed an SSL certificate. The URL shows https://. The padlock is there.
So why does the browser still say “Not Secure”?
Mixed content is one of the most common — and most misunderstood — reasons HTTPS sites silently lose user trust, browser features, and even SEO value. It’s a problem that often goes unnoticed until a warning appears, a form stops working, or a browser update suddenly becomes less forgiving.
What Is Mixed Content?
Mixed content happens when a webpage is loaded over HTTPS, but some of its resources (images, scripts, stylesheets, fonts, iframes, AJAX calls) are requested over HTTP.
In simple terms:
- The page is encrypted
- Some of its parts are not
That breaks the security model HTTPS is meant to provide.
Active vs. Passive Mixed Content
Browsers treat mixed content differently depending on risk level.
Passive (display) mixed content
- Images
- Videos
- Audio files
These usually don’t execute code, but they still leak data and weaken trust.
Active mixed content
- JavaScript
- CSS
- API requests
- iframes
This is dangerous. An attacker can modify these resources and fully compromise the page — which is why modern browsers block them outright.
Why Mixed Content Is a Security Problem
Even one HTTP resource can:
- Allow man-in-the-middle attacks
- Expose cookies or session data
- Inject malicious scripts
- Bypass HTTPS protections entirely
From a browser’s point of view, HTTPS is only as strong as its weakest request.
How Browsers React to Mixed Content
Browser behavior has become stricter over time:
- Active mixed content is blocked by default
- Passive mixed content triggers warnings
- The padlock may disappear or show a warning icon
- Some APIs (geolocation, autofill, service workers) may stop working
To users, this looks like a broken or unsafe website — even if everything “seems fine” to you.
Common Causes of Mixed Content
- Hardcoded
http://URLs in HTML or CSS - Old JavaScript libraries loaded from legacy CDNs
- CMS themes or plugins using absolute HTTP links
- User-generated content with embedded HTTP media
- Incorrect CDN or reverse-proxy configuration
Mixed content often survives migrations because it’s hidden in templates, databases, or third-party integrations.
How Mixed Content Breaks User Trust
Users may not understand SSL, but they understand warnings.
A missing padlock or “Not Secure” label:
- Reduces form submissions
- Lowers checkout completion rates
- Damages brand credibility
- Triggers support tickets and complaints
Trust is visual — and mixed content ruins the visual signal HTTPS is supposed to provide.
How to Detect Mixed Content
Common ways to spot it:
- Browser DevTools → Console → Security warnings
- Viewing blocked requests in the Network tab
- Online SSL and HTTPS scanners
- Crawling your site for
http://resources
The key is testing real pages, not just the homepage.
How to Fix Mixed Content (Properly)
- Replace all
http://URLs withhttps:// - Use protocol-relative URLs only when absolutely necessary
- Enable HTTPS on all third-party resources
- Update CDN and CMS configurations
- Implement Content Security Policy (CSP) reporting
- Force HTTPS redirects at the server level
Fixing mixed content is often less about SSL and more about cleanup and consistency.
Mixed Content and SEO
While mixed content isn’t a direct ranking penalty:
- Blocked resources affect page rendering
- Broken scripts impact UX signals
- Browser warnings reduce engagement
- Google’s HTTPS signals lose value
In practice, mixed content quietly undermines the benefits HTTPS is supposed to bring.
Final Thoughts
HTTPS is not a checkbox. It’s a promise.
Mixed content breaks that promise — not loudly, but visibly. The good news is that once identified, it’s usually fixable. The bad news is that many sites never realize the damage until users already have.