How to fix mixed content on Wix

Steps for Wix

1. Wix enforces HTTPS on all sites automatically; mixed content most commonly comes from external embeds added via Wix HTML iframes or Wix Velo code.
2. In the Wix Editor, click any HTML iframe widget (Insert → Embed → HTML iframe) and check that the embed code uses https:// URLs, not http://.
3. If you use Wix Velo (Dev Mode), open your site's code files and search for any fetch(), import, or src references using http://; update them to https://.
4. Check any Wix app embeds (e.g. third-party chat, review widgets added via the App Market) — if a specific app is injecting HTTP resources, contact the app developer for an updated HTTPS embed snippet.
5. For media files, all images and videos uploaded directly to Wix are served over HTTPS automatically. If you reference external media (e.g. images hosted elsewhere), ensure those source URLs use https://.
6. Publish your site and open it in an incognito browser window; use DevTools (F12 → Console) to confirm no mixed-content warnings.

<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">

What is mixed content?

Mixed content happens when a web page is loaded securely over HTTPS but one or more of its resources — images, scripts, stylesheets, fonts, videos, iframes, or API calls — are still requested over plain HTTP. Browsers treat this as a security problem because the encrypted connection protecting your page can be undermined by an unencrypted resource. There are two kinds: "passive" mixed content (images, audio, video) which browsers may still display but flag with a warning, and "active" mixed content (scripts, stylesheets, iframes) which modern browsers block entirely, breaking functionality. A clean HTTPS store means every single request on every page uses HTTPS — no exceptions.

Mixed content directly harms your store in four ways. First, browsers show a "Not Secure" warning or remove the padlock icon, which destroys shopper trust and causes cart abandonment — studies consistently show customers abandon checkout when they see security warnings. Second, blocked active mixed content (a blocked script or stylesheet) can silently break your add-to-cart button, checkout form, live chat widget, or payment processor embed, costing you direct revenue with no obvious error message to trace. Third, Google has stated that HTTPS is a ranking signal; mixed-content warnings can undermine that signal and signal a poorly maintained site. Fourth, if your store is subject to PCI-DSS (required for card payments), serving payment-related resources over HTTP is a compliance violation that can result in fines or loss of payment processing privileges.

See the complete Mixed content guide for every platform and the full background.