Skip to main content

Beta What do you think of this service? Your feedback will help us to improve it.

  5. Mixed content error

Author: Government Digital Service

Mixed content error

What this means

When a user visits a page served over HTTPS, their connections are encrypted using SSL and safeguarded from eavesdroppers and man-in-the-middle (MITM) attacks.

However, if an HTTPS page includes HTTP content, the HTTP portion can be read or modified by attackers, even though the main page is served over HTTPS.

When an HTTPS page has HTTP content, it’s known as “mixed” content. The webpage that the user is visiting is only partially encrypted and will display a mixed content error message.

Why this is a problem

Mixed content is an issue because it compromises the security of a website that is otherwise loading over a secure HTTPS connection.

An attacker can potentially intercept and modify insecure HTTP content, which can lead to:

  • data interception – without HTTPS, data is sent unencrypted. If a page includes insecure HTTP resources, an attacker can intercept and view them, potentially stealing sensitive information like login credentials or credit card numbers
  • active content manipulation – “active” mixed content includes elements like JavaScript or stylesheets that can modify the webpage. An attacker can inject malicious code through these resources to change the content, steal user data, or redirect users to a malicious site
  • spoofing and phishing – an attacker can modify an insecure part of a page to make it look legitimate, creating a phishing attempt where users unknowingly enter their information into a fake form
  • loss of security assurance – the presence of mixed content breaks the trust that a user has in a secure connection. The padlock icon or “https” in the address bar becomes misleading because only parts of the page are protected
  • tracking and privacy issues – even with passive mixed content (like images), an attacker could still track user activity across different sites

How to check if the problem is there

The easiest way to check for mixed content is to view the website in a modern browser that checks if a secure page includes certain types of insecure content. Modern browsers typically block the insecure content and show an alert.

An alternative is to use a website scanner that will check the website links for HTTPS and create a report highlighting any mixed content served using HTTP.

How to fix this

An administrator can avoid issues with mixed content by:

  • serving all content from your domain as HTTPS
  • making all references to resources hosted on your domain into relative links or HTTPS links, including downloads

Sign up to UK Government Security

Subscribe to our newsletters to receive notifications when changes to strategy, policy, standards, and guidance are published on the website.

Sign up now