RevealTheme logo

Mixed Content Checker

Enter an HTTPS URL and this tool fetches the page's HTML and lists every resource it references over plain http://. It scans the raw server-rendered markup, so it catches static references but not resources injected later by JavaScript.

How to use this tool

  1. 1

    Paste the full HTTPS URL of the page you want to check (for example https://example.com/pricing) into the input field.

  2. 2

    Click Analyze. The tool fetches that page server-side and parses its HTML.

  3. 3

    Review the results: each flagged item shows the tag and attribute (such as script.src or img.src) and the exact http:// URL found.

  4. 4

    Rewrite each listed URL to https:// in your source or CMS, then re-run the check to confirm the count drops to zero.

What is mixed content and how does this checker find it?

Mixed content happens when a page served over HTTPS pulls in subresources over unencrypted HTTP. Because those requests travel in the clear, an attacker on the network can read or tamper with them, which undermines the lock icon the rest of the page earned. Browsers split mixed content into two classes: passive content like images and media usually loads with a warning, while active content like scripts, stylesheets, and iframes is blocked outright in modern browsers, often breaking the page. This checker takes the URL you enter, fetches that page on the server, and parses the returned HTML with the Cheerio library. It then walks five reference points — img src, script src, link href, iframe src, and source src — and flags any value that begins with an absolute http:// prefix. It does not classify each hit as active or passive; it simply reports the tag, attribute, and URL so you can judge severity yourself. Two limits matter: it only sees the raw HTML the server returns, so resources injected later by JavaScript are invisible to it, and it only catches absolute http:// URLs, not protocol-relative (//host) references, CSS url() values, or srcset entries. Treat a clean result as a strong signal, not a formal guarantee.

Common use cases

  • Confirming a freshly migrated WordPress or static site no longer hard-codes any http:// asset URLs after switching the domain to HTTPS.

  • Tracking down which third-party script, font, or analytics tag is causing the browser's 'not fully secure' shield warning on a single page.

  • Spot-checking a marketing landing page before launch so embedded images and iframes do not get silently blocked under HTTPS.

  • Auditing a CMS-published article whose author pasted an old http:// image URL that breaks the padlock on an otherwise secure blog.

  • Verifying that a CDN or reverse-proxy change did not leave a stylesheet or favicon link pointing at the insecure HTTP origin.

  • Giving a client a concrete, line-by-line list of insecure references to fix rather than a vague 'your SSL is broken' complaint.

Frequently asked questions

Does this tool find every piece of mixed content on my site?
No, and it is important to understand why. It only inspects the raw HTML returned by the server for one URL at a time, checking five attributes: img src, script src, link href, iframe src, and source src. It will miss resources that JavaScript adds after the page loads, http:// URLs hidden inside CSS url() rules or inline styles, srcset attributes, and protocol-relative //host references. For a full audit, also open the page in your browser and read the console and Security panel.
Is my URL or page data processed in my browser?
No. Unlike a purely client-side tool, this one sends the URL you enter to our server, which fetches the target page and parses its HTML before returning the results. The page you check is requested from our infrastructure, not from your browser, so do not use it for pages that require your private login session.
Why does it say the URL is not HTTPS?
After following redirects, the final URL did not start with https. Mixed content only applies to pages already served over HTTPS, so the check is skipped. Enter the https:// version of the address, or fix your HTTP-to-HTTPS redirect first, then run it again.
How do I fix the items it reports?
Change each listed http:// URL to https:// in your source, theme, or CMS. If a resource genuinely is not available over HTTPS, host a copy yourself or find an HTTPS-capable alternative. After editing, re-run the checker to confirm the count reaches zero.
Will switching my site to HTTPS fix mixed content automatically?
Not on its own. Serving your own origin over HTTPS is only half the job — every script, image, stylesheet, and iframe the page loads must also use HTTPS. A page can be delivered over HTTPS and still contain dozens of insecure subresource references, which is exactly what this tool surfaces.
Does it flag protocol-relative URLs like //example.com/app.js?
No. The checker only matches references that explicitly begin with http://. Protocol-relative URLs inherit the page's scheme, so under HTTPS they resolve to https and are not mixed content. They are safe in that context and intentionally left out of the results.

Related tools