—

Why it Matters

Mixed content happens when an HTTPS page loads resources (images, scripts, styles) over HTTP. Browsers may block these requests or show warnings. If attackers tamper with those HTTP assets, they can inject malware or steal user data even though the main page uses HTTPS.

Removing mixed content ensures that every resource is delivered securely. This keeps customers safe, avoids browser security errors, and maintains trust in the checkout flow.

Verification Steps

# Open browser dev tools (F12 → Console/Network)
# Look for "Mixed Content" warnings on HTTPS pages

# Command line scan with curl + grep
curl -s https://yourstore.com | grep -E "http://"
# Any non-https URLs found in HTML = FAIL

Remediation / Fix Guidance

1. Update all base URLs and configuration values in Magento to use https://.
2. Replace hard-coded http:// links in themes, templates, and CMS blocks with protocol-relative (//) or https://.
3. Check third-party scripts (analytics, chat, ads) and use HTTPS versions only.
4. Test checkout, customer login, and product pages to confirm no mixed content warnings remain.

Examples

<script src="http://cdn.example.com/js/tracker.js"></script>
<img src="http://cdn.example.com/images/logo.png">

<script src="https://cdn.example.com/js/tracker.js"></script>
<img src="https://cdn.example.com/images/logo.png">

References

• OWASP Top 10 — A02: Cryptographic Failures
• MDN — Mixed Content