How to fix mixed content on BigCommerce

Steps for BigCommerce

1. BigCommerce provides HTTPS sitewide; mixed content typically comes from theme files or content entered in the control panel.
2. Go to Storefront → My Themes → your active theme → Advanced → Edit Theme Files.
3. Search all template (.html), stylesheet (.scss/.css), and JavaScript files for 'http://' and update any found asset URLs to 'https://'.
4. In the control panel, go to Products and check product descriptions (HTML view in the description editor) for HTTP image URLs — update each to HTTPS.
5. Check Storefront → Script Manager for any third-party scripts using HTTP src URLs; update them to HTTPS equivalents.
6. Add the CSP upgrade-insecure-requests meta tag inside the <head> section of your base.html (or equivalent) template file as a safety net.
7. Use browser DevTools on your live store to confirm no mixed-content errors remain in the Console tab.

<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">

What is mixed content?

Mixed content happens when a web page is loaded securely over HTTPS but one or more of its resources — images, scripts, stylesheets, fonts, videos, iframes, or API calls — are still requested over plain HTTP. Browsers treat this as a security problem because the encrypted connection protecting your page can be undermined by an unencrypted resource. There are two kinds: "passive" mixed content (images, audio, video) which browsers may still display but flag with a warning, and "active" mixed content (scripts, stylesheets, iframes) which modern browsers block entirely, breaking functionality. A clean HTTPS store means every single request on every page uses HTTPS — no exceptions.

Mixed content directly harms your store in four ways. First, browsers show a "Not Secure" warning or remove the padlock icon, which destroys shopper trust and causes cart abandonment — studies consistently show customers abandon checkout when they see security warnings. Second, blocked active mixed content (a blocked script or stylesheet) can silently break your add-to-cart button, checkout form, live chat widget, or payment processor embed, costing you direct revenue with no obvious error message to trace. Third, Google has stated that HTTPS is a ranking signal; mixed-content warnings can undermine that signal and signal a poorly maintained site. Fourth, if your store is subject to PCI-DSS (required for card payments), serving payment-related resources over HTTP is a compliance violation that can result in fines or loss of payment processing privileges.

See the complete Mixed content guide for every platform and the full background.