What does upgrade-insecure-requests do?

The Content-Security-Policy: upgrade-insecure-requests header tells the browser to automatically change http:// requests to https:// before sending them. This fixes mixed content without changing the HTML source code.

How do I find all mixed content on my site?

Use Chrome DevTools Console for individual pages, or run a site-wide scan with tools like SSL Labs, Why No Padlock, or JitBit SSL Check. These tools crawl your site and report all HTTP resources on HTTPS pages.

Mixed Content Blocked — HTTP Resources on HTTPS Page Blocked by Browser

Warningsecurity

Overview

Fix mixed content warnings and blocked resources when an HTTPS page loads images, scripts, or other resources over insecure HTTP connections.

Key Details

Mixed content occurs when an HTTPS page loads sub-resources (scripts, images, CSS) over HTTP
Active mixed content (scripts, iframes) is blocked by default in all modern browsers
Passive mixed content (images, audio, video) shows a warning but may still load
Mixed content breaks the security guarantee of HTTPS — attackers could modify HTTP resources
Content-Security-Policy: upgrade-insecure-requests header automatically upgrades HTTP to HTTPS

Common Causes

Website HTML contains hardcoded http:// URLs for images, scripts, or stylesheets
Third-party embed or widget loaded over HTTP on an HTTPS page
CMS (WordPress) database contains old http:// URLs from before HTTPS migration
CDN or external resource does not support HTTPS

Steps

1Open browser DevTools (F12) > Console to see which resources are blocked as mixed content
2Update resource URLs from http:// to https:// or use protocol-relative //example.com/resource
3For WordPress: use a search-replace plugin to update all http:// URLs in the database to https://
4Add Content-Security-Policy: upgrade-insecure-requests header to automatically upgrade HTTP to HTTPS
5If the third-party resource does not support HTTPS, proxy it through your own HTTPS server

Related Items

browser-hsts-cannot-visit-site

More in Security

windows-defender-errorsWindows Defender Errors — Antivirus Not Working or Updating

Error

windows-error-0x80073b01-defender-serviceWindows Error 0x80073B01 — Windows Defender Service Failed to Start

Error

windows-bitlocker-recovery-key-errorsBitLocker Recovery Key Errors — Drive Locked and Recovery Key Not Found

Critical

mac-gatekeeper-app-blockedMac Gatekeeper — App Cannot Be Opened (Unidentified Developer)

Warning

mac-filevault-recovery-errorsMac FileVault Errors — Encryption, Decryption & Recovery Key Issues

Error

mac-keychain-errors-passwordsMac Keychain Errors — Password Prompts, Locked Keychain, and Repair Guide

Warning

Frequently Asked Questions

Active mixed content (scripts, stylesheets, iframes) can modify the page and is always blocked. Passive mixed content (images, audio, video) cannot execute code and is usually displayed with a warning but not blocked.

Mixed Content Blocked — HTTP Resources on HTTPS Page Blocked by Browser

Overview

Key Details

Common Causes

Steps

Tags

Related Items

More in Security

Frequently Asked Questions