Janitor
Start your free trial Start free
FeaturesHow it worksReportsPricing Log in Start your free trial

Security

Mixed content checker

Find insecure http resources loaded by a secure https page.

Free tool vs Janitor

This free tool scans only the single page you enter. Janitor crawls every page and flags insecure resources site-wide, so a stray http:// asset on a deep page does not slip through.

See the full site-wide check in Janitor
Example Mixed content checker result

What this checks

Mixed content is when a secure https page loads some resources over plain http: a script, a stylesheet, an image or an iframe. Browsers either block them or warn about them.

This tool fetches an https page and flags any http subresources it finds in the HTML.

Why it matters

Mixed content breaks the padlock and can stop scripts and styles loading, so the page looks broken. An http script is also a real security hole.

It creeps in through hard-coded http URLs in templates, old content or third-party embeds, so it is worth checking after any change.

How to fix common failures

1

Switch resources to https

Update hard-coded http URLs to https, or use protocol-relative or relative paths.

2

Find it in the source

Search the codebase and database for http:// references in templates and content.

3

Add upgrade-insecure-requests

A Content-Security-Policy directive can upgrade requests, but fixing the source is cleaner.

Mixed content checker is one check. Janitor watches mixed content automatically across every client site and puts it in a branded report.

Start your free trial

Keep reading

Related

Security headers checker

Open →

SSL certificate checker

Open →

Every check Janitor runs

Open →

FAQ

Mixed content checker FAQ

What counts as mixed content?

Any http resource loaded by an https page: scripts, stylesheets, images, iframes, audio and video. Active content like scripts is the most serious.

Does the tool find resources loaded by JavaScript?

It checks the HTML the server returns. Resources injected later by JavaScript may not appear. For a fuller picture, the browser console flags mixed content too.

Can I monitor this continuously?

Yes. Janitor checks for mixed content on every site so a new http embed is caught before a client notices the padlock has gone.

Get started

Check it once, or watch it for every client

Janitor runs around two dozen checks on every site you manage and turns them into a branded report.

Start your free trial All free tools

30-day free trial. No credit card required.