Mixed Content
What is Mixed Content?
Mixed ContentSituation where an HTTPS page loads subresources (scripts, styles, images, XHR) over plain HTTP, weakening the page's overall security guarantees.
Mixed content occurs when a page served over HTTPS pulls in scripts, stylesheets, images, fonts, or fetch requests from insecure http:// URLs. Active mixed content (scripts, iframes, XHR) is dangerous because an on-path attacker can rewrite the response and inject code into the secure context, breaking confidentiality and integrity. Modern browsers block active mixed content by default and may auto-upgrade or block passive content like images. Defences include serving all assets over HTTPS, using protocol-relative or absolute https:// URLs, the upgrade-insecure-requests CSP directive, and HSTS to force HTTPS site-wide.
● Examples
- 01
An HTTPS checkout page that pulls a third-party analytics script over http:// can be hijacked to skim card data.
- 02
Browser console warning: "Mixed Content: The page was loaded over HTTPS, but requested an insecure script."
● Frequently asked questions
What is Mixed Content?
Situation where an HTTPS page loads subresources (scripts, styles, images, XHR) over plain HTTP, weakening the page's overall security guarantees. It belongs to the Application Security category of cybersecurity.
What does Mixed Content mean?
Situation where an HTTPS page loads subresources (scripts, styles, images, XHR) over plain HTTP, weakening the page's overall security guarantees.
How does Mixed Content work?
Mixed content occurs when a page served over HTTPS pulls in scripts, stylesheets, images, fonts, or fetch requests from insecure http:// URLs. Active mixed content (scripts, iframes, XHR) is dangerous because an on-path attacker can rewrite the response and inject code into the secure context, breaking confidentiality and integrity. Modern browsers block active mixed content by default and may auto-upgrade or block passive content like images. Defences include serving all assets over HTTPS, using protocol-relative or absolute https:// URLs, the upgrade-insecure-requests CSP directive, and HSTS to force HTTPS site-wide.
How do you defend against Mixed Content?
Defences for Mixed Content typically combine technical controls and operational practices, as detailed in the full definition above.
● Related terms
- appsec№ 214
Content Security Policy (CSP)
An HTTP response header that tells the browser which sources of scripts, styles, frames and other content are allowed, limiting the impact of XSS and data-injection attacks.
- network-security№ 497
HTTP Strict Transport Security (HSTS)
A web security policy delivered via an HTTP response header that tells browsers to access a domain only over HTTPS for a declared period of time.
- attacks№ 651
Man-in-the-Middle Attack
An attack in which an adversary secretly relays or alters communications between two parties who believe they are talking directly to each other.
- network-security№ 1159
TLS (Transport Layer Security)
The IETF-standardized cryptographic protocol that provides confidentiality, integrity, and authentication for traffic between two networked applications.
- appsec№ 1114
Subresource Integrity (SRI)
A browser mechanism that verifies a cryptographic hash of a script or stylesheet loaded from a third party before executing it, preventing tampered files from running.
- appsec№ 960
Same-Origin Policy (SOP)
Browser security rule that restricts how a document or script loaded from one origin can interact with a resource from a different origin.