Magebean Logo Magebean
← Back to Baseline

MB-R029No mixed content

C04 HTTPS & TLS Enforcement Medium

Pages served over HTTPS must not load HTTP assets (scripts, styles, images). Mixed content undermines TLS guarantees and enables injection. Audit templates and CDN references, update asset URLs to HTTPS, and implement Content Security Policy to prevent accidental regressions.

Why it Matters

Mixed content happens when an HTTPS page loads resources (images, scripts, styles) over HTTP. Browsers may block these requests or show warnings. If attackers tamper with those HTTP assets, they can inject malware or steal user data even though the main page uses HTTPS.

Removing mixed content ensures that every resource is delivered securely. This keeps customers safe, avoids browser security errors, and maintains trust in the checkout flow.

Verification Steps

Manual

# Open browser dev tools (F12 → Console/Network)
# Look for "Mixed Content" warnings on HTTPS pages

# Command line scan with curl + grep
curl -s https://yourstore.com | grep -E "http://"
# Any non-https URLs found in HTML = FAIL

Remediation / Fix Guidance

  1. Update all base URLs and configuration values in Magento to use https://.
  2. Replace hard-coded http:// links in themes, templates, and CMS blocks with protocol-relative (//) or https://.
  3. Check third-party scripts (analytics, chat, ads) and use HTTPS versions only.
  4. Test checkout, customer login, and product pages to confirm no mixed content warnings remain.

Examples

Fail Example
<script src="http://cdn.example.com/js/tracker.js"></script>
<img src="http://cdn.example.com/images/logo.png">
Pass Example
<script src="https://cdn.example.com/js/tracker.js"></script>
<img src="https://cdn.example.com/images/logo.png">

References