Mixed Content Detection
Catch HTTP resources on HTTPS pages before visitors see "Not Secure"
A single HTTP image on an HTTPS page triggers a browser security warning. A HTTP script breaks the page entirely. Mixed content creeps in after CMS updates, plugin installs, and content editor mistakes — and your uptime monitor never fires. SiteWatch scans for mixed content across all 9 resource types on every check, automatically.
- 9 resource types scanned: scripts, images, stylesheets, iframes, video, audio, objects, embeds, and media
- Active mixed content (scripts, iframes) flagged critical — browsers block these entirely
- Passive mixed content (images, stylesheets) flagged high — browsers show "Not Secure" warnings
Why it matters
Mixed content is the silent cause of "Not Secure" browser warnings
The padlock disappears
When an HTTPS page loads any HTTP resource, browsers remove the padlock icon or show a security warning. Visitors see "Not Secure" — and trust evaporates. SiteWatch finds mixed content before your clients' visitors do.
Active content breaks pages
HTTP scripts, iframes, objects, and embeds are blocked entirely by modern browsers. A single HTTP analytics tag or chat widget can silently break page functionality while your server returns 200 OK and uptime stays green.
Passive content triggers warnings
HTTP images, stylesheets, video, and audio are still loaded by browsers — but with a visible security warning. Your HTTPS site looks insecure even though the page renders. Clients notice. Their customers notice.
It appears after every CMS update
Mixed content is rarely there at launch — it creeps in after plugin installs, theme updates, and migrations from HTTP to HTTPS. SiteWatch checks continuously so you catch it the moment it appears, not in a client complaint.
HTTPS alone is not enough
Having a valid SSL certificate doesn't protect you from mixed content. Certificate monitoring catches expiry — mixed content monitoring catches what happens inside the page. Together they give you complete HTTPS health coverage.
Agencies discover this from clients
Without continuous monitoring, agencies find mixed content via client complaints — "why does my site say Not Secure?" SiteWatch makes it automatic: you know before they do, with evidence of exactly which resources are the problem.
9
Resource types scanned
Every check
Detection frequency
All plans
Included on
Detection coverage
Every mixed content type. Every check. No configuration.
Critical — browsers block these
- HTTP scripts — JavaScript files over HTTP are blocked entirely by modern browsers. Any script running over HTTP on an HTTPS page fails silently or breaks functionality outright.
- HTTP iframes — Embedded pages over HTTP are blocked. Login forms, payment widgets, and embedded tools stop working.
- HTTP objects and embeds — Plugins and embedded content served over HTTP are blocked. PDF viewers, media players, and embeds fail without warning.
High — browsers warn and still load
- HTTP images — Photos, logos, and product images served over HTTP trigger the "Not Secure" indicator even though the image loads. The padlock disappears.
- HTTP stylesheets — CSS files over HTTP trigger security warnings and may be blocked in strict configurations. Unstyled or partially broken layouts result.
- HTTP video and audio — Media files over HTTP trigger mixed content warnings. The media may play, but the security indicator is broken.
- HTTP media sources — Source, track, and srcset attributes pointing to HTTP URLs in video and audio elements.
How it works
Automatic detection on every check — zero configuration
Page fetched on schedule
SiteWatch fetches your HTTPS page on its normal monitoring schedule. Mixed content detection is built into every integrity check — no separate scan, no extra setup.
All resource references inspected
Every resource on the page is inspected: src, href, srcset, and inline styles. HTTP URLs on an HTTPS page are flagged by type and severity.
Severity determined automatically
Active mixed content (scripts, iframes, objects, embeds) generates a Critical incident — browsers block these. Passive content (images, stylesheets, media) generates a High incident — browsers warn but load them.
Incident created with evidence
An incident is created listing each HTTP resource found, its type, and its URL. The evidence table is the audit report — forward it directly to whoever manages the site.
Complete HTTPS coverage
SiteWatch monitors every layer of your HTTPS security
SSL certificate monitoring
Expiry warnings, full chain validation, and TLS protocol checks. SiteWatch monitors every certificate continuously — 30-day early warning so no client site ever expires silently.
Security header monitoring & regression
CSP, HSTS, X-Frame-Options, and more — checked on every scan. SiteWatch also detects security header regressions: if a deployment removes a header that was previously present, you get a high-severity alert within the hour.
Domain expiry monitoring
Domain registration expiry tracked automatically via RDAP for every monitored site. 30-day early warning before a client domain lapses — no WHOIS tools, no calendar reminders.
FAQ
Frequently asked questions
Mixed content occurs when an HTTPS page loads resources (scripts, images, stylesheets, iframes, media) over HTTP rather than HTTPS. Browsers flag these as insecure. Active mixed content (scripts, iframes) is blocked entirely by modern browsers. Passive mixed content (images, media) is loaded but triggers visible security warnings — the padlock icon disappears or shows a warning indicator.
Having a valid SSL certificate doesn't prevent mixed content. The certificate secures the connection between your server and the browser. If your page references any resource over HTTP — a plugin loading a script, a content editor pasting an image URL, a theme hardcoding HTTP paths — browsers will flag it. Mixed content is the most common reason an HTTPS site shows "Not Secure."
SiteWatch scans 9 resource types: scripts, images, stylesheets, iframes, video, audio, objects, embeds, and media sources (including srcset and track references). Active content types (scripts, iframes, objects, embeds) generate Critical incidents. Passive content types (images, stylesheets, video, audio) generate High incidents.
Yes. SSL monitoring checks whether your certificate is valid and when it expires. Mixed content monitoring checks whether your page content is actually served securely. A site can have a perfectly valid SSL certificate and still show "Not Secure" warnings if any page resource loads over HTTP. You need both for complete HTTPS coverage.
No. Mixed content detection runs automatically on every integrity check. There is nothing to enable, no scanning schedule to set up. If you are monitoring a site with SiteWatch, mixed content detection is already running.
All plans — Free, Starter, and Pro. Mixed content detection runs on every site you monitor, from your first free site to your full Pro portfolio.
Find mixed content before your clients' visitors do
Free plan. 1 site. Automatic detection. No credit card.
Explore more
Related monitoring capabilities
Security Header Monitoring
CSP, HSTS, X-Frame-Options, and regression alerts — continuous security posture monitoring.
SSL Certificate Monitoring
Continuous SSL expiry tracking, chain validation, and TLS cipher checks.
Domain Expiry Monitoring
Domain registration expiry tracked automatically — 30-day early warning.
Broken Assets Monitoring
Detect broken JS, CSS, images, and fonts on every check.