Mixed Content Checker
Enter an HTTPS URL and this tool fetches the page's HTML and lists every resource it references over plain http://. It scans the raw server-rendered markup, so it catches static references but not resources injected later by JavaScript.
How to use this tool
- 1
Paste the full HTTPS URL of the page you want to check (for example https://example.com/pricing) into the input field.
- 2
Click Analyze. The tool fetches that page server-side and parses its HTML.
- 3
Review the results: each flagged item shows the tag and attribute (such as script.src or img.src) and the exact http:// URL found.
- 4
Rewrite each listed URL to https:// in your source or CMS, then re-run the check to confirm the count drops to zero.
What is mixed content and how does this checker find it?
Mixed content happens when a page served over HTTPS pulls in subresources over unencrypted HTTP. Because those requests travel in the clear, an attacker on the network can read or tamper with them, which undermines the lock icon the rest of the page earned. Browsers split mixed content into two classes: passive content like images and media usually loads with a warning, while active content like scripts, stylesheets, and iframes is blocked outright in modern browsers, often breaking the page. This checker takes the URL you enter, fetches that page on the server, and parses the returned HTML with the Cheerio library. It then walks five reference points — img src, script src, link href, iframe src, and source src — and flags any value that begins with an absolute http:// prefix. It does not classify each hit as active or passive; it simply reports the tag, attribute, and URL so you can judge severity yourself. Two limits matter: it only sees the raw HTML the server returns, so resources injected later by JavaScript are invisible to it, and it only catches absolute http:// URLs, not protocol-relative (//host) references, CSS url() values, or srcset entries. Treat a clean result as a strong signal, not a formal guarantee.
Common use cases
Confirming a freshly migrated WordPress or static site no longer hard-codes any http:// asset URLs after switching the domain to HTTPS.
Tracking down which third-party script, font, or analytics tag is causing the browser's 'not fully secure' shield warning on a single page.
Spot-checking a marketing landing page before launch so embedded images and iframes do not get silently blocked under HTTPS.
Auditing a CMS-published article whose author pasted an old http:// image URL that breaks the padlock on an otherwise secure blog.
Verifying that a CDN or reverse-proxy change did not leave a stylesheet or favicon link pointing at the insecure HTTP origin.
Giving a client a concrete, line-by-line list of insecure references to fix rather than a vague 'your SSL is broken' complaint.
Frequently asked questions
Does this tool find every piece of mixed content on my site?▼
Is my URL or page data processed in my browser?▼
Why does it say the URL is not HTTPS?▼
How do I fix the items it reports?▼
Will switching my site to HTTPS fix mixed content automatically?▼
Does it flag protocol-relative URLs like //example.com/app.js?▼
Related tools
DNS Lookup
Look up DNS records (A, AAAA, MX, TXT, NS) for any domain.
WHOIS Lookup
Get full WHOIS data for any domain.
SSL Certificate Checker
Check SSL certificate validity, issuer, and expiry.
HTTP Header Analyzer
Inspect HTTP response headers and security signals.
HTTP Status Code Checker
Check status code of any URL — single or bulk.
Redirect Chain Tracer
Follow every hop in a redirect chain.