Why blocked in prod but not dev?

localhost may be treated differently; always test on HTTPS staging.

Passive mixed content may load with warnings; active (JS/CSS) is stricter.

Update siteurl/home options and run search-replace on content URLs.

Error fix

How to fix “Mixed content (HTTPS page, HTTP resource)”

A secure page tried to load scripts, images, or XHR over insecure HTTP—browsers block or downgrade.

Start here first. Step 1 fixes most cases—then work down the list.

Replace http:// with https:// where supported or use protocol-relative carefully.
Set Content-Security-Policy upgrade-insecure-requests during migration.
Fix API base URLs in frontend config and server-rendered HTML.

Why this works

These steps work because it rules out local security software dropping the connection.

Mixed content weakens security. Modern browsers block active mixed content and warn on passive content depending on policy.

Hard-coded http:// URLs
Legacy embeds, CMS fields, or env defaults still point to HTTP.
Third-party scripts
Vendor snippets pulling HTTP assets on an HTTPS site.

Upgrade URLs
1. Replace http:// with https:// where supported or use protocol-relative carefully.
2. Set Content-Security-Policy upgrade-insecure-requests during migration.
3. Fix API base URLs in frontend config and server-rendered HTML.

Why blocked in prod but not dev?: localhost may be treated differently; always test on HTTPS staging.
Images only?: Passive mixed content may load with warnings; active (JS/CSS) is stricter.
WordPress?: Update siteurl/home options and run search-replace on content URLs.

Still stuck? Try these related fixes next.

Tweak the message and run again—we'll match an existing fix or generate a new page.

Original error message

Mixed Content: The page was loaded over HTTPS, but requested an insecure resource