Stop the "page contains secure and nonsecure items" warning

Are your SSL web pages plagued by the browser warning "This page contains both secure and nonsecure items. Do you want to display the nonsecure items?"

Do you want to display nonsecure items?

This is a common error that occurs when some element on a secure web page (one that is loaded with https:// in the address bar) is not being loaded from a secure source. This usually occurs with images, frames, iframes, Flash, and JavaScripts. If you are having trouble finding what elements are loading from http instead of https, try WhyNoPadLock.com. Once you found the elements, there are a few ways to fix them:

1. Change all URLs to https

Just open up the offending web page and search for http://. Change the references on all images, iframes, Flash, and Javascripts to https://. For example.

<img src="https://www.domain.com/image.gif" alt="" />

This may not work if you are loading an image from another site that does not have SSL set up. Also, with this method you'll be loading SSL images even when the client is loading from a non-secure page. This will add extra processing load on the server and client. This is definitely not recommended for a high volume site.

2. Change all links to // or make them relative

Rather than changing all the links to https://, change them to just //

<img src="//www.domain.com/image.gif" alt="" />

Alternatively, if the images or scripts are located on the same domain, you can access them relatively, rather than absolutely:

<img src="image.gif" alt="" />

Using this method, the browser will know that it must load the image securely if the web page is being loaded securely but it will also load the image normally if the page is not being accessed securely. The image will still need to be available on the other server securely. This is likely the best method of getting rid of the pesky "Do you want to display the nonsecure items?" warnings.

3. Change the browser settings

It is best to change the code of the page that is giving the error, but if you don't have access to change the code, you can always tell your personal web browser not to display that message. To do so follow these steps for Internet Explorer:

  1. Go to Tools, Internet Options.
  2. Select the "Security" Tab and then click on the "Custom Level" button.
  3. Scroll down until you see the option: "Display mixed content". Select "Enable".
  4. Click Ok. Then you will get a "Security Warning" pop-up. Click Yes.

One common reason that this warning shows up is using normal Google Analytics code on a secure page. It is a simple fix to enable Google Analytics on a page using SSL.

Originally posted on Sun Sep 9, 2007

Comments (52)

  1. Robert:
    Jan 07, 2014 at 07:39 AM

    Hi Sai, Unfortunately, you will need to manually update all of the URLs. I can't think of any way to do this automatically.

  2. Sai:
    Jan 06, 2014 at 05:58 AM

    Hi All, I have multiple pages which has the same errors(Running on IE 6). Few blogs say that we need to make the src of javascript to blank. Is there a way wherein we can fix this issue globally instead of changing each url or each page javascript. Thanks, Sai

  3. Narendra:
    Jun 28, 2013 at 02:26 AM

    (1)Go to Tools, Internet Options. (2)Select the "Security" Tab and then click on the "Custom Level" button. (3)Scroll down until you see the option: "Display mixed content". Select "Enable". (4)Click Ok. Then you will get a "Security Warning" pop-up. Click Yes.

  4. sinisa:
    May 14, 2013 at 02:27 AM

    Thanks a lot.i read this webpage and stupid prompts is disapear.

  5. Becky:
    Mar 27, 2013 at 05:36 AM

    This has been driving me crazy for months. Option #3 worked for me. Thank you so much for posting the solution!

  6. T.J.:
    Jan 11, 2012 at 02:59 AM

    Thanks loads, it drives you mad when they keep popping up

  7. Hannah:
    Jan 05, 2012 at 11:17 AM

    Option 3 worked. Thanks so much!!!

  8. Mad Eddie:
    Nov 30, 2011 at 03:54 AM

    Chrome reports relative URLs als insecure. Even when these URL's are relative to the current HTTPS page you are on and coming from the same site and trough the same SSL as the page you are viewing. Infact. When i make a page wich contains only the text 'test'. a plain HTML file with only the word 'test' and NOTHING else. It still flags it. (Maybe related to chrome plugins we have installed?)

  9. Jatinder:
    Oct 18, 2011 at 05:02 AM

    How we can achieve same with javascript or jquery.

  10. hitesh:
    Oct 05, 2011 at 12:02 AM

    In my site there one external css & js which is creates problem for me in HTTPS, and i can’t remove that because it is important, and also not able to download and set it up on my site… They are also not provide css & js with https code… So what to do? Please give me solution… Thanks…

  11. Robert:
    Sep 15, 2011 at 04:56 AM

    Hi Hitesh, You will either need to remove the items that can't be loaded from a secure https source or ask the site owners if they can set up https on their site.

  12. hitesh:
    Sep 15, 2011 at 04:42 AM

    Hi, I have a one problem in my site for ssl, i remove all the absolute path and give relative path to all images and css, but there are few images & js which is coming from other site, so that's why it is gives me warning. And those sites are not ssl enabled so i m not able to give https:// for external images & js. Thanks.

  13. Sarah:
    Sep 15, 2011 at 04:16 AM

    I have a website that is using a lot of relative links, which I believed would mean this was not an issue, however the items being linked to are being reported as coming from http and not https :( Any thoughts?

  14. dapogz:
    Sep 07, 2011 at 01:06 AM

    even though this is an old thread THIS still ROCKS.. THANKS...

  15. Andrea:
    Jul 02, 2011 at 06:34 AM

    Thank you so much....I have been looking at my internet options to eliminate these pop-ups for awhile now!

  1. 1
  2. 2
  3. 3
  4. 4




Allowed tags: <b><i><br>Add a new comment: