Skip to main content
Security Performance Management
Continuous Monitoring
Vendor Risk Management
Trust Management Hub
Cyber Insurance
National Cybersecurity

Mixed Content Security Test and Remediation Tips

Erin Conry

Mixed Content issues are scanned as part of the Sensitive Data Exposure Security Tests used to evaluate the Web Application Security Risk Vector.

Mixed content occurs when an HTTPS page loads resources (like images, scripts, or stylesheets) over HTTP.  A mixed content finding, for example, happens when an HTML page includes a resource requested via HTTP, even though the website itself returned an HTTP 200 response.

Need to fix?

  • Ensure all resources are loaded via HTTPS, not HTTP.
  • Update any links or scripts to use HTTPS.

This helps protect users and avoids browser security warnings.

What’s the risk? Mixed content creates a security vulnerability, enabling attackers to intercept or alter sensitive data on the page. This occurs even though the main website connection is encrypted, compromising the user's overall security experience.

Does this impact my WAS Risk Vector Grade? Yes.

Possible Grades:

  • Good: Low count/severity. Weight = 0.
  • Fair: Medium count/severity. Weight: >0 to <10. Mixed Content Score: <10.
  • Warn: Medium count/severity. Weight: 10 to <1000. Mixed Content Score: 10 to <1000.
  • Bad: High count/severity. Weight: 1000 to 10101. Mixed Content Score: ≥ 1000.

What is a mixed content score? When an HTTPS site is visited, we list all insecure (HTTP) content. Browsers may block (blocked) or upgrade the insecure resource to HTTPS (upgraded). Since blocked content is more security-sensitive, we assign weights to mixed content events:

  • Content Upgraded: Resource automatically upgraded to HTTPS (Weight = 0.1).
  • Content Warning: Resource loaded via HTTP (excluding insecure FORMs) (Weight = 10.0).
  • Content Blocked: Resource blocked by the browser (including insecure FORM resources) (Weight = 1000.0).

For each website, the sum of these weights calculates the mixed content score.

What will I see in the portal?

Issue: Secure page included non-secure content.

Details: The page attempted to load an HTTP resource from an HTTPS context.

Want to learn more?

Mixed Content Issues are one of the top WAS Security Tests that result in negative findings. Learn more about how we assess Mixed Content findings at Bitsight Academy.

Was this article helpful?
0 out of 0 found this helpful
Return to top

Related articles

Feedback

0 comments

Please sign in to leave a comment.