Mixed Content Checker

Find HTTP resources on HTTPS pages. Detect mixed content issues that cause browser warnings and security risks.

What does Mixed Content Checker do?

This actor scans HTTPS web pages for mixed content -- HTTP resources loaded on secure pages. It checks scripts, stylesheets, images, media, iframes, forms, and CSS url() references. Mixed content causes browser security warnings and can break page functionality.

The actor loads each page in a browser, inspects all resource references, and categorizes them by protocol (HTTPS, HTTP, data URI, relative). Any HTTP resource on an HTTPS page is flagged as mixed content with its type, source URL, and location in the DOM.

Use cases

• Security auditing -- find insecure resources that trigger browser warnings and compromise the security of HTTPS pages
• HTTPS migration -- verify all resources are upgraded after HTTP to HTTPS migration with no leftover HTTP references
• Compliance checking -- ensure pages meet security standards that require full HTTPS resource loading
• SEO monitoring -- mixed content can affect search rankings and cause Google to flag pages as partially insecure
• Quality assurance -- catch mixed content before production deployment to prevent user-facing browser warnings

Why use Mixed Content Checker?

• Deep scanning -- checks scripts, stylesheets, images, media, iframes, forms, and CSS url() references, not just top-level resources
• Browser-based detection -- uses a real browser to find mixed content that static analysis would miss, including dynamically loaded resources
• Structured output -- get clean JSON with resource counts by protocol, individual mixed content items, and page metadata
• Batch processing -- scan hundreds of URLs in a single run to audit entire sites after HTTPS migration
• API access -- integrate mixed content monitoring into CI/CD pipelines or deployment verification workflows
• Pay-per-event pricing -- only pay per page checked with no monthly fees

Input parameters

Parameter	Type	Required	Default	Description
urls	array	Yes	--	List of HTTPS web page URLs to check for mixed content. Each URL is loaded in a browser and all resource references are inspected.

Example input

{
    "urls": [
        "https://www.google.com",
        "https://en.wikipedia.org/wiki/Web_scraping",
        "https://example.com"
    ]
}

Output fields

Each URL produces one record with the following fields:

Field	Description
url	The original URL provided in the input
title	The page title
isHttps	Whether the page was served over HTTPS
mixedContentCount	Total number of HTTP resources found on the HTTPS page
mixedContentItems	Array of mixed content items with URL, resource type, and element tag
resourceCounts	Breakdown of all resources by protocol (https, http, dataUri, relative, other)
hasMixedContent	Boolean shortcut indicating whether any mixed content was found
error	Error message if the check failed, null otherwise
checkedAt	ISO 8601 timestamp of the check

Output example

{
    "url": "https://example.com",
    "title": "Example Domain",
    "isHttps": true,
    "mixedContentCount": 0,
    "mixedContentItems": [],
    "resourceCounts": {
        "total": 2,
        "https": 0,
        "http": 0,
        "dataUri": 0,
        "relative": 2,
        "other": 0
    },
    "hasMixedContent": false,
    "error": null,
    "checkedAt": "2026-03-01T12:00:00.000Z"
}

How much does it cost?

Mixed Content Checker uses Apify's pay-per-event pricing. You only pay for what you use.

Event	Price	Description
Start	$0.035	One-time per run
URL checked	$0.001	Per page checked

Cost examples:

• 10 pages: $0.035 + 10 x $0.001 = $0.045
• 100 pages: $0.035 + 100 x $0.001 = $0.135
• 1,000 pages: $0.035 + 1,000 x $0.001 = $1.035

Using the Apify API

You can start Mixed Content Checker programmatically using the Apify API. Replace YOUR_TOKEN with your Apify API token.

Node.js

import { ApifyClient } from 'apify-client';

const client = new ApifyClient({ token: 'YOUR_TOKEN' });
const run = await client.actor('automation-lab/mixed-content-checker').call({
    urls: ['https://example.com', 'https://www.google.com'],
});
const { items } = await client.dataset(run.defaultDatasetId).listItems();
console.log(items);

Python

from apify_client import ApifyClient

client = ApifyClient('YOUR_TOKEN')
run = client.actor('automation-lab/mixed-content-checker').call(run_input={
    'urls': ['https://example.com', 'https://www.google.com'],
})
items = client.dataset(run['defaultDatasetId']).list_items().items
print(items)

Integrations

Connect Mixed Content Checker with other tools using Apify integrations. Export results to Google Sheets for migration tracking, send Slack alerts when mixed content is detected on production pages, trigger Make or Zapier workflows for automated remediation, push data to n8n for custom pipelines, or configure webhooks to run checks after every deployment.

Tips and best practices

• Run after HTTPS migration to verify that no HTTP resources were left behind -- even a single mixed content item can trigger browser warnings.
• Check the mixedContentItems array for the exact URLs and resource types that need updating in your codebase.
• Focus on active mixed content first -- scripts and stylesheets loaded over HTTP are blocked by modern browsers, while images may only show a warning.
• Schedule regular scans to catch regressions when new content, third-party scripts, or CMS updates reintroduce HTTP references.
• Combine with SSL Certificate Checker to ensure both your certificates and page resources are fully secured.

FAQ

What is mixed content? Mixed content occurs when an HTTPS page loads sub-resources (images, scripts, stylesheets) over HTTP. Browsers either block these resources or show security warnings, depending on the resource type and browser settings.

Does this actor check pages served over HTTP? The actor is designed for HTTPS pages. If you provide an HTTP URL, it will load the page but the concept of mixed content only applies to HTTPS pages loading HTTP resources.

What is the difference between active and passive mixed content? Active mixed content (scripts, stylesheets, iframes) is blocked by most modern browsers because it can alter page behavior. Passive mixed content (images, audio, video) may only trigger a warning. The actor detects both types.