Mixed Content Insecure

This page tries to load http:// subresources. If you serve this page over HTTPS, modern browsers will block them (check DevTools → Console).

Parent protocol: Expect blocks when parent is HTTPS

Active Mixed Content — HTTP Script

should be blocked

Why it’s bad: an attacker on-path can tamper with HTTP scripts. On HTTPS pages, browsers block these to protect integrity.

  1. Click Load HTTP script — we point to http://code.jquery.com/jquery-3.7.1.min.js.
  2. If this page is HTTPS, it should be blocked as mixed content.
  3. Open the Console for a “Mixed Content” error.
Waiting…

Passive Mixed Content — HTTP Image

often blocked

Why it’s bad: even images can be swapped on-path to mislead users or inject pixel beacons. Modern browsers block or auto-upgrade HTTP images on HTTPS pages.

  1. Click Load HTTP image — we point to http://http.badssl.com/logo.svg.
  2. On HTTPS, it should be blocked; check Console for the warning.
Waiting…