Fix guide · medium · mixed_content

HTTPS page loads HTTP resources

Why it matters

Browsers either block these (mixed content) or warn the user the page isn't secure. For active mixed content (scripts, frames), an attacker can inject arbitrary code.

How to fix it

1. Replace HTTP URLs with HTTPS or protocol-relative URLs in your source.
2. Add a meta tag for upgrade-insecure-requests so old links auto-upgrade:

``html <meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests"> ``

1. In CSP, set upgrade-insecure-requests directive.

Did vibecheck flag this on your app?

If you reached this page from a vibecheck inspection report, the redacted match in your scan output is the exact string we found in your bundle. After applying the fix above, run the inspection again — the finding should clear.