Site is on HTTPS, but the browser shows 'mixed content' warning or an open padlock
Mixed content is HTTP resources on an HTTPS page (images, scripts, iframes). Since Chrome 80+ browsers silently block active mixed content (scripts, iframes), passive content shows a broken padlock. Fix is always: all sources on HTTPS, no exception.
Try this first
- 1Open devtools console on a suspect page, it lists exactly which URL is HTTP.
- 2First fix: replace http:// with https:// in templates and database. For WordPress a tool like Better Search Replace, for Next.js a grep through your content.
- 3Second fix: add a Content-Security-Policy upgrade-insecure-requests header, the browser auto-upgrades HTTP resources to HTTPS where possible.
- 4External iframes and scripts (analytics, ads, video) must offer an HTTPS URL too. Replace old embed codes as needed.
- 5For user-uploaded content (old blog posts with http://imgur.com/...): script through the DB and rewrite URLs, or host all assets yourself via a CDN.
When to bring us in
If you have lots of legacy content with HTTP links and CSP fixes do not fully solve it, we can write a cleanup script that walks the database and assets.
See also
- Domain expires tomorrow and nobody saw the emailAn expired domain doesn't transfer instantly. There's a redemption window, but you pay extra.
- Unsure whether to enable auto-renewDisabling auto-renew only makes sense for domains you'll truly drop. For anything live, just keep it on.
- New registrar asks for auth code, can't find itEPP code or transfer code is the password to move a domain from registrar A to B.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.