How to fix mixed content on PrestaShop

Steps for PrestaShop

1. In the admin panel, go to Shop Parameters → General and enable 'Force HTTPS' — this forces all store pages to use HTTPS.
2. Go to Advanced Parameters → Performance and flush all caches after making changes.
3. Search your theme files (under /themes/your-theme/) for any hardcoded http:// asset references in .tpl, .css, and .js files; update to https://.
4. In the admin back office, check CMS Pages (Design → Pages), product descriptions, and category descriptions for any http:// image URLs embedded via the rich-text editor.
5. For modules that inject external scripts (Modules → Module Manager), check each module's configuration for HTTP embed codes; update to HTTPS versions.
6. Add a Content-Security-Policy header via your server config or a PrestaShop security module to enforce upgrade-insecure-requests as a safety net.
7. Clear the cache (Advanced Parameters → Performance → Clear cache) and verify the storefront in a browser with DevTools open.

<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">

What is mixed content?

Mixed content happens when a web page is loaded securely over HTTPS but one or more of its resources — images, scripts, stylesheets, fonts, videos, iframes, or API calls — are still requested over plain HTTP. Browsers treat this as a security problem because the encrypted connection protecting your page can be undermined by an unencrypted resource. There are two kinds: "passive" mixed content (images, audio, video) which browsers may still display but flag with a warning, and "active" mixed content (scripts, stylesheets, iframes) which modern browsers block entirely, breaking functionality. A clean HTTPS store means every single request on every page uses HTTPS — no exceptions.

Mixed content directly harms your store in four ways. First, browsers show a "Not Secure" warning or remove the padlock icon, which destroys shopper trust and causes cart abandonment — studies consistently show customers abandon checkout when they see security warnings. Second, blocked active mixed content (a blocked script or stylesheet) can silently break your add-to-cart button, checkout form, live chat widget, or payment processor embed, costing you direct revenue with no obvious error message to trace. Third, Google has stated that HTTPS is a ranking signal; mixed-content warnings can undermine that signal and signal a poorly maintained site. Fourth, if your store is subject to PCI-DSS (required for card payments), serving payment-related resources over HTTP is a compliance violation that can result in fines or loss of payment processing privileges.

See the complete Mixed content guide for every platform and the full background.