What is a mixed content warning?

At Hostinger, all websites hosted on our Web, WordPress, and Cloud Hosting plans include a free SSL that is installed and enforced automatically - that is, the connection is set to go through HTTPS instead of HTTP.

If the website contains elements that are still loaded over an HTTP connection, a mixed content warning will appear. You can check it from your browser console:

Mixed content warning from the browser console

How to fix a mixed content warning

We have prepared detailed guides on how to fix the mixed content error for the most popular CMS. You can find them here:

If you are using a different CMS or have a custom-coded website, proceed with the steps below:

Step 1 - Check the configuration file

If your website has a configuration file, start there - your website’s URLs (or default content URLs) may be added there using the HTTP protocol:

The configuration file of a website showing http being used instead of https on the default content URL

In that case, simply replace http with https.

Step 2 - Check the source code file

If you are a website developer, and the mixed content issue is visible on specific pages only, the Why No Padlock tool can help you easily detect which pages have mixed content issues.

Once you have found the page, open the page file using the File Manager and search by “http://”. Most likely, you will find the content in question:

A website source code file showing http being used to load an image instead of https

Before replacing http with https for these URLs, make sure that the content is available using a secured connection - open the URL and change HTTP to HTTPS in the browser address bar.

  • If the content is available - you can safely update the URL on your source file

  • If the content is not available, you can either replace it with another content available via HTTPS or host the content directly on your website. Alternatively, you can remove the content

Step 3 - Add a redirect rule to .htaccess

If the error persists after checking the configuration file and source code, you can add the following code to your website's .htaccess file:

Header always set Content-Security-Policy: upgrade-insecure-requests

Save the changes and visit your website from an incognito window - it should load fully secured 💪

NOTES:

  • This option is not recommended if your website uses symlinks

  • If your website does not have an .htaccess file, you can create it

Did this answer your question?