Migrate your website effortlessly with Site.Pro AI Website import feature
Visitors to Websites protected by HTTPS or SSL protocol expect and deserve protection. A mixed SSL warning indicates that both secured and unsecured elements are used that should be completely encrypted. Any website using an HTTPS address must have all of its content coming from a secured source. Any page that links to a none secure source with HTTP is considered insecure and is flagged by your browser as a security risk.
When customers see a Not Secure Website warning, they normally react one of two ways. If they do not take security seriously, they will ignore it and presume everything is okay. If they take security seriously, they will leave your website assuming you do not take security seriously, never to return. Most modern browsers will block the more malicious types of mixed content, and in doing so may stop your website from loading. The best solution is to make sure that these warnings and or blocks do not happen by correctly configuring your website to serve only secure content.
Mixed content warnings can appear when you forced a redirect from HTTP to HTTPS for your website.
Images have hard-coded URLs.
<img src="http://example.com/images/myimage.jpg">
You are using HTTP versions of external scripts, jQuery, Font Awesome, etc.
<script src="http://ajax.googleapis.com/ajax/libs/jquery/1.7.2/jquery.min.js" type="text/javascript">
You are using embedded video scripts that the referring website are using HTTP protocol instead of HTTPS.
<http://www.youtube.com/watch?v=C3e9OLTcw>
Developers sometimes use absolute paths in the website’s code to link to resources like CSS and JavaScript instead of using relative paths.
<http://example.com/css/style.css>
Passive content and Active content
Both types degrade user trust and SEO rankings, requiring immediate fixes like upgrading to HTTPS URLs or using Content Security Policy headers to enforce secure connections.
Passive content refers to items which can be replaced or altered, but can not change other parts of the page.
For instance, a graphic or photograph. The most common cause of all mixed content warning is when a secure website is configured to pull images from an unsecured website or source.
Passive HTTP requests are served via these tags:
<audio src="/attribute">
<img src="/images/rshweb.gif">
<video src="/attribute">
Active content can alter the web page itself. A JavaScript, PHP script, or other applications could allow a request for HTTP content on any HTTPS page to be intercepted and/or rewritten.
This makes malicious active content very dangerous. User credentials and or sensitive data can be stolen, or malware installed on the user’s computer system. Example: A bit of JavaScript on a web page designed to generate a random password could be replaced by code providing a pre-generated password, instead, and or to deliver an otherwise secure password secretly to a third party. Active mixed content can be exploited to compromise sensitive private data, but even public web pages which seem innocuous can still redirect to dangerous sites, deliver unwanted content or steal cookies for exploitation.
Active content might include:
All modern browsers will try to block active mixed content. But this may stop an incorrectly-configured website from loading.
These issues not only disrupt user experience but also signal to search engines like Google that your site isn't trustworthy, potentially dropping rankings. In 2025, with certificate lifespans shortening to as low as 47 days by 2029, proactive management is key to avoiding downtime.
SSL errors occur when the browser's handshake with your server fails during verification. Here's a breakdown of frequent ones, based on real-world diagnostics from tools like SSL Labs and browser consoles
Common SSL Certificate Errors
• ERR_CERT_DATE_INVALID (Expired Certificate): The certificate's validity period has lapsed. Certificates typically last 398 days max in 2025, but forgetting renewal causes this. Browsers like Chrome show "Your connection is not private" with NET::ERR_CERT_DATE_INVALID. • ERR_CERT_AUTHORITY_INVALID (Untrusted Issuer): The certificate is from an unrecognized or self-signed authority. Modern browsers only trust vetted CAs like Let's Encrypt or GlobalSign. This triggers "NET::ERR_CERT_AUTHORITY_INVALID" and blocks access. • ERR_CERT_COMMON_NAME_INVALID (Name Mismatch): The domain in the certificate doesn't match the site's URL (e.g., certificate for "subdomain.example.com" but site is "example.com"). Results in "Your connection is not secure" warnings. • ERR_SSL_PROTOCOL_ERROR (Handshake Failure): Often due to incompatible protocols or ciphers. In 2025, TLS 1.2+ is mandatory; older versions like SSL 3.0 are vulnerable to attacks like POODLE. • ERR_CERT_REVOKED: The CA revoked the certificate due to compromise or misuse. Browsers check revocation lists (CRL/OCSP) and display "This certificate has been revoked."These errors manifest as full-page blocks or icons (e.g., broken padlock in Chrome). Always diagnose with tools like Qualys SSL Labs for detailed reports on chain issues or weak configs.
Securing your website lets your visitors trust you, which today is vitally important. However, eliminating the insecure content from the website has an even greater value of eliminating false positive warnings. If your SSL website is compromised, any insecure element an attacker inserts will trigger the mixed-content warning. The best way to avoid mixed content issues is to serve all content via HTTPS, not with the HTTP protocol.
Serve all content as HTTPS and double check all your links. Often the HTTPS version of the content already exists, and this just requires adding an “s” to the address.
Change http:// to https://
Or for links with in your own website, use relative URL's or links without the http://
<a href="/web-site-hosting">
<img src="/my-image.jpg">
In fact, all internal links with in our website https://rshweb.com/ uses relative URL links.
If HTTPS is not available, you can try contacting your hosting company to see if HTTPS is available.
If they offer no help, try using a different hosting company that does allow SSL.
If you are using cPanel with your hosting account, you can enable this option: Enable Force HTTPS Redirect just by checking the appropriate box.
If however you do not have cPanel available, or you need to enable it by hand, you can to do this via your .htaccess file.
Edit or create a .htaccess file in the folder your website is being served from. Normally this is the /public_html directory.
You can easily edit the .htaccess file using an FTP client and text editor.
Add the following code to the .htaccess file:
# BEGIN HTTPS Redirect
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
# END HTTPS Redirect
Save the file and check the results in your web browser by trying to access your site using standard HTTP rather than HTTPS
If it is working correctly, you should automatically be redirected to the HTTPS:// version of your website.
Upgrade Insecure Requests is a CSP (Content Security Policy) directive that allows you to tell the web browser that all the resources on your website must be accessed via HTTPS
Your resources will automatically be requested on HTTPS by the client/browser, without any mixed content warning.
Upgrade Insecure Requests is supported by Mozilla Firefox, Google Chrome, Microsoft Edge, Opera, Android, Chrome for Android, Safari.
To implement this, you only need to add the following lines of code to your .htaccess file:
# BEGIN Fix mixed content warnings
<ifModule mod_headers.c>
Header always set Content-Security-Policy "upgrade-insecure-requests;"
</IfModule>
# END Fix mixed content warnings
Again, save the file and check the results in your web browser by trying to access your site using standard HTTP rather than HTTPS. If it is working correctly, you will be automatically redirected to HTTPS.
Fixing SSL or HTTPS warnings isn't just about tech, it's about building trust and avoiding costly downtime. By understanding errors, tackling mixed content, and adopting best practices like automation and short-lived certs, you'll secure your site effectively. Start with a full scan today, renew proactively, and watch your padlock shine. For persistent issues, consult your hosting provider or a CA expert.
Joel is a expert in the fields of digital, technology, and business. With a wealth of experience and knowledge, he has successfully navigated...
We'd love to hear from you! Leave your experiences or questions in the comments section below.
This policy contains information about your privacy. By posting, you are declaring that you understand this policy:
This policy is subject to change at any time and without notice.
These terms and conditions contain rules about posting comments. By submitting a comment, you are declaring that you agree with these rules:
Failure to comply with these rules may result in being banned from submitting further comments.
These terms and conditions are subject to change at any time and without notice.
Tweet Share Pin Email
Comments (1)
Great article on keeping businesses safe online! As a small business owner, I found the tips on basic cybersecurity super helpful, especially the part about regular backups and strong passwords. It’s scary how common cyberattacks are now, and this was a good reminder to stay proactive. We’re just starting to set up some security measures. What’s the easiest first step for a small team with no tech background? Thanks for sharing such practical advice