How to fix mixed content on Adobe Commerce (Magento)

Steps for Adobe Commerce (Magento)

1. In the admin panel, go to Stores → Configuration → General → Web.
2. Under 'Base URLs (Secure)', set the Secure Base URL to https:// and ensure 'Use Secure URLs on Storefront' and 'Use Secure URLs in Admin' are both set to 'Yes'. Save Config.
3. Go to Stores → Configuration → General → Web → Base URLs and confirm the non-secure Base URL also redirects to HTTPS (handle this via your server's .htaccess or nginx config with a 301 redirect).
4. Run the Magento URL reindex and clear the full-page cache: in the admin go to System → Cache Management → Flush Magento Cache, or via CLI: php bin/magento cache:flush.
5. Use a database search-replace tool or a Magento module (e.g. the free 'MagePal HTTP to HTTPS Redirect' or similar) to update any hardcoded HTTP URLs stored in the catalog, CMS pages, and widgets tables.
6. Check any third-party extensions that inject scripts or assets (System → Integrations, or custom modules in app/code) for hardcoded HTTP asset URLs and update them.
7. Add the Content-Security-Policy upgrade-insecure-requests header in your server config (Apache: Header always set Content-Security-Policy 'upgrade-insecure-requests'; Nginx: add_header Content-Security-Policy 'upgrade-insecure-requests';) or via a plugin.
8. Flush all caches again and verify with browser DevTools that no mixed-content warnings remain.

<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">

What is mixed content?

Mixed content happens when a web page is loaded securely over HTTPS but one or more of its resources — images, scripts, stylesheets, fonts, videos, iframes, or API calls — are still requested over plain HTTP. Browsers treat this as a security problem because the encrypted connection protecting your page can be undermined by an unencrypted resource. There are two kinds: "passive" mixed content (images, audio, video) which browsers may still display but flag with a warning, and "active" mixed content (scripts, stylesheets, iframes) which modern browsers block entirely, breaking functionality. A clean HTTPS store means every single request on every page uses HTTPS — no exceptions.

Mixed content directly harms your store in four ways. First, browsers show a "Not Secure" warning or remove the padlock icon, which destroys shopper trust and causes cart abandonment — studies consistently show customers abandon checkout when they see security warnings. Second, blocked active mixed content (a blocked script or stylesheet) can silently break your add-to-cart button, checkout form, live chat widget, or payment processor embed, costing you direct revenue with no obvious error message to trace. Third, Google has stated that HTTPS is a ranking signal; mixed-content warnings can undermine that signal and signal a poorly maintained site. Fourth, if your store is subject to PCI-DSS (required for card payments), serving payment-related resources over HTTP is a compliance violation that can result in fines or loss of payment processing privileges.

See the complete Mixed content guide for every platform and the full background.