Security

Mixed content checker

Find insecure http resources loaded by a secure https page.

Free, no sign-up Runs on demand, nothing stored

Free tool vs Janitor

This free tool scans only the single page you enter. Janitor crawls every page and flags insecure resources site-wide, so a stray http:// asset on a deep page does not slip through.

See the full site-wide check in Janitor →
Sample result
brightleaf.co.uk
Insecure resources on /
3 insecure
image /img/banner.jpg
image /img/logo.png
script /js/widget.js

Your result

What this checks

The http hiding inside https

Mixed content is when a secure https page loads some resources over plain http: a script, a stylesheet, an image or an iframe. Browsers either block them or warn about them.

This tool fetches an https page and flags any http subresources it finds in the HTML.

Why it matters

One insecure asset breaks the lock

Mixed content breaks the padlock and can stop scripts and styles loading, so the page looks broken. An http script is also a real security hole.

It creeps in through hard-coded http URLs in templates, old content or third-party embeds, so it is worth checking after any change.

How to fix it

Get every resource onto https

1

Switch resources to https

Update hard-coded http URLs to https, or use protocol-relative or relative paths.

2

Find it in the source

Search the codebase and database for http:// references in templates and content.

3

Add upgrade-insecure-requests

A Content-Security-Policy directive can upgrade requests, but fixing the source is cleaner.

One of around two dozen checks

Mixed content checker is one check

Janitor watches mixed content automatically across every client site and puts it in a branded report you can send.

Keep reading

Related tools and guides

FAQ

Mixed content checker FAQ

What counts as mixed content?

Any http resource loaded by an https page: scripts, stylesheets, images, iframes, audio and video. Active content like scripts is the most serious.

Does the tool find resources loaded by JavaScript?

It checks the HTML the server returns. Resources injected later by JavaScript may not appear. For a fuller picture, the browser console flags mixed content too.

Can I monitor this continuously?

Yes. Janitor checks for mixed content on every site so a new http embed is caught before a client notices the padlock has gone.

Get started

Check it once, or watch it for every client

Janitor runs around two dozen checks on every site you manage and turns them into a branded report.

30-day free trial. No credit card required.