Mixed Content
Mixed content occurs when an HTTPS page loads resources (images, scripts, stylesheets) over insecure HTTP, weakening your encryption and triggering browser warnings. SaaSalyst checks your page for HTTP resources loaded on HTTPS pages, detecting a security vulnerability that modern browsers increasingly block.
What SaaSalyst Checks
SaaSalyst parses your homepage HTML and examines all resource references: <img src>, <script src>, <link href>, <iframe src>, <video src>, and <audio src>. Any resource URL starting with 'http://' on an HTTPS page is flagged as mixed content. The scanner counts the total number of mixed content resources found.
Why This Matters
Mixed content undermines the security provided by HTTPS. When a script is loaded over HTTP, an attacker can modify it in transit, injecting malicious code that executes with full access to your HTTPS page — including cookies, session tokens, and user data.
Modern browsers increasingly block mixed content automatically, which means HTTP resources simply won't load — breaking images, scripts, and functionality on your page.
For SaaS products, mixed content signals incomplete HTTPS implementation. Enterprise security audits flag it as a vulnerability that shows the HTTPS migration wasn't fully completed.
40%
Higher secret exposure in repos using AI coding assistants
GitGuardian 2025 Report
400+
Exposed secrets found across 5,600 vibe-coded apps
Escape.tech
How to Fix It
- Update all resource URLs to use https:// instead of http://. Most CDNs and services support HTTPS.
- Use protocol-relative URLs (//example.com/file.js) or absolute HTTPS URLs. Better yet, use relative paths for your own resources.
- Add <meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests"> to automatically upgrade HTTP requests to HTTPS.
- Check browser developer tools Console tab for mixed content warnings to identify specific resources.
Frequently Asked Questions
How does SaaSalyst detect mixed content?
SaaSalyst scans all resource references in your HTML (images, scripts, stylesheets, iframes, video, audio) for URLs starting with 'http://' on HTTPS pages.
Why is mixed content a security issue?
HTTP resources on HTTPS pages can be intercepted and modified by attackers. SaaSalyst flags mixed content because it weakens your HTTPS encryption and can enable script injection attacks.
How does mixed content affect my Business Readiness Score?
SaaSalyst rates mixed content as high severity in Security & Infrastructure. It undermines HTTPS security, triggers browser warnings, and signals incomplete security implementation to enterprise auditors.
References & Official Sources
Official regulatory and standards sources relevant to the checks SaaSalyst runs on your site.
- OWASP Top 10— OWASP
- Security Headers Reference— Mozilla
- HSTS Preload List— Google
Check Your SaaS Now — Free
SaaSalyst scans your website in 30 seconds and checks for Mixed Content along with 40+ other business readiness signals.
Scan Your App