Free Mixed Content Checker
Scan an HTTPS homepage for mixed content — insecure http:// scripts, stylesheets, iframes, images, media and form actions loaded on a secure page. Active mixed content is blocked by browsers and is a real interception risk.
By scanning, you confirm you own or have permission to test this domain. Not a substitute for manual penetration testing.
What this mixed content checker checks
How it works
Read-only· one HTTPS page fetch- 1We load your HTTPS homepage and parse every referenced resource — scripts, stylesheets, iframes, images, media and form actions.
- 2We flag any that load over insecure http:// and split them into active (scripts/iframes/styles — browser-blocked) vs passive (images/media) mixed content.
- 3We read the page markup only; we do not execute it or crawl deeper.
What it doesn’t do: It inspects the homepage. For a full multi-page crawl, use the Full or Deep scan.
Why it matters
Active mixed content lets a network attacker tamper with a page even when it loads over HTTPS, and modern browsers block it — silently breaking your site. Insecure form actions leak submitted data in plaintext. Both undermine the protection HTTPS is supposed to give.
Frequently asked questions
Is the mixed content checker free?
Yes — no sign-up. We load the HTTPS homepage and inspect its referenced resources for http:// URLs.
What is the difference between active and passive mixed content?
Active mixed content (scripts, iframes, stylesheets) can execute or alter the page and is blocked by browsers. Passive mixed content (images, media) cannot run code but is still shown as insecure and can be tampered with.
Does this scan my whole site?
This free check inspects the homepage. For a full crawl across many pages, run the full recon scan or an authenticated Deep Scan.
My site looks clean but I still get browser mixed-content warnings — why?
This tool checks resources embedded in the initial HTML response. JavaScript apps (React, Vue, Next.js) that fetch or inject resources after page load may have mixed content the scanner cannot see. Open DevTools → Console on your live site and look for "Mixed Content" warnings for the full picture.