SOLUTIONS
Deliver Superior Online Experiences
Mitigate DDoS AttacksStop Malicious Bot AbuseAccelerate Internet ApplicationsEnsure Application AvailabilityOptimize Web ExperiencesStream Videos On-DemandSuperior Online Experience for China Users
Secure Employee Applications and Devices
Deliver Zero Trust Access to ApplicationsImplement Secure Access Service Edge (SASE)Protect Users Accessing the InternetProtect Corporate NetworksManage Secure Contractor AccessReplace Virtual Private Networks (VPNs)Secure Your Remote WorkforceStop Zero Day Attacks with Browser Isolation
 
Protect and Accelerate Networks
Cloudflare's Network ServicesMitigate L3 DDoS AttacksConnect network infrastructure with CloudflareTransform Corporate Networks
Code on the Network Edge
Build a Serverless ApplicationDeploy a Static WebsiteConfigure a CDNDefine Conditional Request Routing
Manage a Secure Cloud
Secure Hybrid, Cloud, & SaaS PlatformsEnable SSL for SaaS ApplicationsReduce Cloud Data Transfer Costs
Register a Website
Register or Transfer a Website
INDUSTRIES
eCommerceFinancial ServicesGamingHealthcare and Life SciencesMedia and EntertainmentPublic SectorSaaSEducation
PUBLIC INTEREST
Election CampaignsAthenian ProjectProject GalileoProject Fair Shot
FOR INFRASTRUCTURE
Application & Network Security
DDoS ProtectionWAFBot ManagementMagic TransitMagic WANRate LimitingSSL / TLSSSL/TLS for SaaS ProvidersCloudflare SpectrumNetwork InterconnectCDNDNSArgo Smart RoutingLoad BalancingStream DeliveryChina NetworkWaiting Room
FOR TEAMS
Cloudflare for TeamsAccessGatewayBrowser Isolation
FOR DEVELOPERS
Serverless Applications
Cloudflare WorkersCloudflare Workers KV
Domain Registration
Cloudflare Registrar
Website Development
Cloudflare PagesCloudflare Stream
SaaS Developers
Cloudflare for SaaS
FOR EVERYONE
1.1.1.11.1.1.1 with WARP (App)1.1.1.1 for Families
INSIGHTS
AnalyticsCloudflare LogsWeb AnalyticsCloudflare Radar
PRIVACY
Data LocalizationCompliance
FOR INFRASTRUCTURE
Advanced Security
Bot ManagementFirewall rulesMagic TransitSpectrum (TCP/UDP)SSLWAFCDNDNSImage ResizingLoad BalancingStream (Video)
 
Insights
Analytics
Domain Registration
Registrar
FOR SERVERLESS APPLICATIONS
Workers Quick StartCloudflare PagesSample Workers ProjectsWorkers TutorialsCommand-line (Wrangler)Runtime
FOR TEAMS
Cloudflare for Teams
EXPLORE CLOUDFLARE API
Cloudflare APIAPI Authentication
DOCUMENTATION HUB
Dev Documentation Hub
RESOURCES
Resource HubWhitepapersWebinarsSolutions & Product GuidesCase StudiesAnalysts
EXPLORE
What's New?Network MapCloudflare in ChinaGDPR
GET STARTED
Register Your WebsiteWelcome CenterGet Help
LEARN
Learning CenterSecurityDDoSBot ManagementSSLIdentity and Access ManagementPerformanceCDNDNSCloudServerlessNetwork Layer
CONNECT
BlogCommunity
TRUST
Trust HubPrivacy & Data ProtectionCertificationsTrust & SafetyGDPRLegal Documentation
CONTACT
+1 650 319 8930
CHANNEL & ALLIANCE PARTNERS
Partner NetworkPartner Portal
TECHNOLOGY PARTNERS
OverviewAnalytics PartnersBandwidth AllianceEndpoint Security PartnershipsInterconnect PartnershipsNetwork On-ramp PartnershipsPeering Portal
PRICING BY PLAN
FreeProBusinessEnterprise
COMPARE AND EXPLORE
Need Help Choosing a Plan?Add OnsCompare All Plans

What is mixed content? | HTTP vs. HTTPS

Mixed content occurs when TLS-protected sites contain elements that are loaded over the unsecure HTTP protocol. This creates a vulnerability that attackers can exploit.

Learning Objectives

After reading this article you will be able to:

  • Describe the conditions that produce mixed content
  • Differentiate between passive and active mixed content
  • Understand how mixed content can be prevented

Related Content

What is SSL?

What is an SSL Certificate?

What is TLS?

What is HTTPS?

Why Use HTTPS?

Copy article link

What is mixed content?

With TLS (also known as SSL), Internet communication is encrypted, creating a more secure browsing experience. Users can easily identify TLS-encrypted sites because they have ‘https://’ in the URL instead of ‘http://’. But in some instances, an HTTPS site can also contain some elements that are loaded using the plaintext HTTP protocol. This creates a condition known as mixed content, sometimes referred to as ‘HTTP over HTTPS’.

Mixed Content in a Browser

With mixed content, users will be under the impression that they are on a secure, encrypted connection because they are on an HTTPS-protected site, but the unencrypted elements of the page create vulnerabilities, opening up those users to malicious activity such as unauthorized tracking and on-path attacks. The severity of the vulnerability depends on whether the mixed content is passive or active.

What’s the difference between passive/display mixed content and active mixed content?

Passive/Display Mixed Content: In this case, the unencrypted HTTP content is restricted to encapsulated elements on the site that cannot interact with the rest of the page – for example, images or videos. For example, an attacker can block or replace an image loaded over HTTP, but wouldn’t be able to modify the rest of the page.

Active Mixed Content: In this case, elements or dependencies that can interact with and alter the entire webpage are served over HTTP. These include dependencies like JavaScript files and API requests.

Active mixed content presents a more severe threat than passive/display mixed content; when compromised, it allows an attacker to take over an entire webpage, collect sensitive user input such as login credentials, serve the user a spoofed page, or redirect the user to an attacker’s site.

Most modern web browsers provide warnings in the developer console for mixed content, as well as blocking the more dangerous types of mixed content. Each browser has its own set of rules, but generally speaking, active mixed content is much more likely to be blocked.

Although passive/display mixed content poses less of a threat, it still provides an opportunity for attackers to compromise privacy and track user activity. Furthermore, since a lot of browsers allow some forms of passive mixed content and only provide users with mixed content warnings in the developer console, many users will be unaware that they are being exposed to mixed content.

Mixed Content Errors in Chrome

Users on antiquated web browsers are particularly vulnerable, as these browsers may not block mixed content at all.

Why don’t browsers just block all mixed content?

An unfortunately large number of popular websites serve mixed content in one form or another. A web browser that blocks all mixed content would be delivering a very narrow version of the web to their users. Until more websites clean up this issue, browsers must compromise by permitting some of the less severe forms of mixed content.

How can mixed content errors be fixed?

Web developers own the responsibility for eliminating mixed content. Over time, web browsers have become more and more restrictive in regards to mixed content, and this trend will only continue. It is therefore imperative that developers eliminate mixed content if they want web browsers to continue displaying their site.

The fix for mixed content is quite simple: Web developers need to ensure that every resource on their page is loaded over HTTPS. In practice, this can prove tricky, as modern websites often load several different resources from various places.

A good tool for developers to spot all instances of mixed content on their pages is the Google Chrome developer console. Developers can also check their source code for instances of resources, such as API calls and libraries, that are loaded using an ‘http://’ URL. In some cases, the solution is simply replacing the ‘http://’ URL with ‘https://’. But first, it must be verified that an HTTPS version of that resource is available. If an encrypted version of the resource isn’t available, it will either need to be replaced or removed altogether.

Check out the Cloudflare tool for identifying SSL issues, including mixed content: https://www.cloudflare.com/diagnostic-center/

Sales

About SSL/TLS

About HTTPS

About Encryption

SSL Glossary

Learning Center Navigation

© 2021 Cloudflare, Inc.Privacy PolicyTerms of UseDisclosureCookie PreferencesTrademark