Mixed Content
Checks for HTTP resources loaded on HTTPS pages — browsers block or warn.
What this check measures
We scan HTML for `<script src="http://...">`, `<img src="http://...">`, and other subresource URLs with http:// protocol on HTTPS pages. Modern browsers block active mixed content (scripts, iframes) and warn about passive content (images, media).
Why it matters
Active mixed content is blocked — the feature breaks silently. Passive mixed content shows a "Not Fully Secure" indicator in Chrome, eroding trust. Also a security risk: HTTP resources can be MITM'd and injected.
How our audit detects it
Parse HTML for all subresource URLs (script, img, iframe, link, video, audio). Flag any starting with http://.
Typical findings
- error_outline<script src="http://cdn.example.com/lib.js"> — blocked, feature broken.
- error_outline<img src="http://imgur.com/abc.jpg"> — warning shown, image loads.
- error_outlineHardcoded http://www. reference left from migration.
How to fix
Replace every http:// reference with https:// or protocol-relative //. Add a Content-Security-Policy `upgrade-insecure-requests` directive to auto-upgrade any missed ones.
Frequently asked questions
Does upgrade-insecure-requests help?expand_more
Want this checked on your site?
Pantra runs the full audit (SEO, Security, GEO, Performance, Schema, Technical, Images) in 10 seconds and generates stack-specific fix prompts.
Scan my siteRelated checks
HTTPS Enabled
Checks that the site serves over HTTPS and redirects HTTP to HTTPS.
SecurityTLS Version
Checks that the server uses TLS 1.2 or higher — older versions are broken.
SecuritySSL Certificate
Checks that the SSL certificate is valid, not expired, and not expiring soon.
SecurityHSTS Header
Checks for Strict-Transport-Security header — blocks HTTPS downgrade attacks.