Tell Me When Down
How it worksWhat we checkPricing
Log inGet started
free tool · no login

Mixed content checker

Find everything your HTTPS page still loads over insecure http:// — the scripts and stylesheets browsers silently block, and the images that break your padlock. Paste a page, get the list.

One http:// URL is all it takes

A page is only as secure as its least secure part. Serve one script over plain HTTP and the browser blocks it completely — whatever that script did just stops, with nothing on the page to tell you. Serve one http:// image and the padlock your visitors look for quietly degrades to a warning.

The usual culprit isn't new code. It's a hardcoded URL from before the site had HTTPS — a logo, an old widget, an embed snippet from a tutorial — sitting in a template nobody has read in years.

Mixed content is one check. The free report runs them all.

Run the full scan free — security headers, TLS, cookies, DNS, exposed subdomains and more, graded A to F, with a plain-English fix for each finding.

Scan my site freeno signup · results in ~30 seconds

Mixed content, answered

What is mixed content?
Mixed content is when a page served over secure HTTPS loads some of its pieces — scripts, stylesheets, images, iframes — over plain, unencrypted HTTP. The page is secure but its parts aren't, and anything fetched over HTTP can be read or modified by whoever sits on the network path. Browsers treat it as a security problem, because it is one.
Why does my HTTPS site say “Not secure” or show a broken padlock?
Almost always mixed content: one http:// image or script somewhere in the page is enough to downgrade the padlock. It's typically an old hardcoded URL — a logo from before you had HTTPS, a widget snippet pasted years ago — that nobody has looked at since. A checker finds it faster than reading your templates.
What's the difference between active and passive mixed content?
Active mixed content is anything that can run code or change the page: scripts, stylesheets, iframes. Browsers block these outright — they simply don't load, and whatever they did on your page silently stops working. Passive mixed content is images, audio, and video; modern browsers try to auto-upgrade those to https:// and only break them if the secure version doesn't exist.
How do I fix mixed content warnings?
Change every http:// resource URL to https:// (almost every host serves both, so usually it's a find-and-replace), or use root-relative paths like /images/logo.png that inherit the page's scheme. Then add the response header Content-Security-Policy: upgrade-insecure-requests, which tells browsers to upgrade any http:// stragglers automatically — it's the safety net for the ones you missed.
Does mixed content hurt SEO?
Indirectly but really. Google has used HTTPS as a ranking signal since 2014, and a page with blocked resources can render broken for the crawler the same way it does for users — missing styles, missing content. Add the trust cost of a “Not secure” label on the page, and it's worth fixing regardless of where the rankings needle sits.
Do browsers block mixed content?
Yes, with a split policy: scripts, stylesheets, and iframes over http:// are blocked completely; images and media are auto-upgraded to https:// and blocked only if that fails. So a page with mixed content doesn't just warn — parts of it genuinely don't load, and because the failure is silent, you usually hear about it from a user, not from your own testing.

one request to your page · nothing stored · checks the HTML we receive, not scripts that run afterwards

Tell Me When Down

Uptime and security monitoring for people who'd rather ship than babysit servers. We watch so you can sleep.

status:all systems watched
product
How it worksWhat we checkPricingDocsFAQ
free tools
Website security scanSupabase pause checkRender sleep checkMixed content checkerSecurity headers checkCookie security checkSSL expiry check
company
About our botSupportLog inPrivacyTerms
© 2026 TellMeWhenDown · tellmewhendown.comiad · ams · sin