Active mixed content
Scripts, stylesheets, iframes and form actions loaded over http:// are flagged as active, because browsers block these outright and can break page functionality.
Passive mixed content
Images and media loaded over http:// are flagged as passive, since browsers downgrade the padlock or warn rather than block.
Resource inventory
Every insecure resource is listed by tag and attribute, so each problem URL is identifiable and fixable.
Severity verdict
A single verdict separates "actively breaking the page" from "cosmetic warning", so the urgent problems are not buried.
Honest scope
The scan covers the server-rendered HTML, and the boundary (JavaScript-injected resources are not executed) is stated plainly rather than implied away.
HTTPS is a baseline trust and ranking signal, and mixed content quietly undermines it. Active mixed content is the worst case: a browser silently blocks an http:// script on an https:// page, the feature it powered breaks, and the site owner often does not connect the broken behavior to the cause. Passive mixed content is less severe but still removes the full padlock, which erodes user trust on exactly the pages where trust converts.
Active http:// script or stylesheet
An insecure script or stylesheet is fixed by changing its URL to https://, since browsers block active mixed content and the page feature will not work until it loads securely.
http:// iframe or form action
An insecure iframe or form action is fixed by pointing it at an https:// URL, because browsers block insecure framed content and insecure form submission.
Passive http:// image or media
An insecure image or media file is fixed by serving it over https://, which restores the full secure padlock.
Hard-coded http:// URLs
Hard-coded http:// references are fixed by updating them to https:// (or protocol-relative) so no resource forces an insecure request.
Third-party resource only on http
A third-party resource available only over http:// is fixed by switching to an https:// equivalent or self-hosting it securely.
What is mixed content?
Mixed content is any resource loaded over http:// on a page served over https://, which compromises the security the HTTPS connection is supposed to provide.
What is the difference between active and passive mixed content?
Active mixed content (scripts, stylesheets, iframes, form actions) is blocked by browsers and can break the page. Passive mixed content (images, media) downgrades the padlock but usually still loads.
Why is my padlock not showing?
A missing or downgraded padlock on an HTTPS page is almost always caused by mixed content — at least one sub-resource is still being requested over http://.
Does mixed content affect SEO?
Mixed content weakens the HTTPS signal, can break functionality crawlers rely on, and erodes user trust, all of which work against SEO indirectly.
Does this tool catch JavaScript-injected resources?
Our Mixed Content Checker scans the server-rendered HTML and does not execute JavaScript, so resources injected at runtime are out of scope and stated as such.
Is this mixed content checker free?
Our Mixed Content / HTTPS Checker is free, with no sign-up, no limits, and nothing stored. The page you submit is fetched server-side, analyzed, and then discarded.