Free Tool
Mixed Content Checker
Find HTTP resources that are loaded from HTTPS pages and can create browser warnings, blocked assets, or security gaps.
Sign in with Google or GitHub to run the scan. Start with a free scan.
What this tool checks
This page uses ZeriFlow's deterministic website security engine and focuses the guidance on the configuration area above. For the full report, run a complete free security scan.
Key Checks
Active Content
Looks for HTTP scripts, stylesheets, workers, and iframes on HTTPS pages.
Passive Content
Reviews image, font, and media resources that may still trigger warnings.
Third-Party Assets
Identifies external resources that need HTTPS support or replacement.
Upgrade Guidance
Explains common fixes such as HTTPS URLs, asset migration, and CSP upgrade-insecure-requests.
Recommended Baseline
Assets
Serve all scripts, styles, fonts, images, and media over HTTPS.
CSP
Consider upgrade-insecure-requests after testing resource compatibility.
Third Parties
Replace vendors or CDN URLs that do not support HTTPS.
Regression
Recheck after theme, CMS, analytics, or tag manager changes.
FAQ
What is mixed content?
Mixed content happens when an HTTPS page loads resources over plain HTTP. This can weaken security and cause browser warnings or blocked resources.
Which mixed content is most dangerous?
Active content such as scripts, stylesheets, iframes, and workers is most dangerous because it can affect page behavior.
How do I fix mixed content?
Update resource URLs to HTTPS, use protocol-relative URLs only when safe, proxy old assets, or remove third-party resources that do not support HTTPS.
Can images cause mixed content warnings?
Yes. Browsers may auto-upgrade or block some passive mixed content, but image and media URLs should still be served over HTTPS.
Need the full security picture?
ZeriFlow combines deterministic website checks across headers, TLS, DNS, cookies, and email security with monitoring, reporting, and AI-powered developer workflows where implemented.