Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Can I get rid of the "This page contains both secure and nonsecure items" warning?

Can I get rid of the “This page contains both secure and nonsecure items” warning?


Not that I’m aware of, and not that I would want to. Not being notified is in fact a security risk when visiting sites you don’t already know and trust. For the sites you do trust, the message results from bad site design on their part.

Thank you to a few readers who posted a solution to avoiding the warning:

  • When you receive the error message, click Yes.

  • In Internet Explorer, go to Tools, Internet Options, click the Security tab; make sure that in “Select a zone…” window that Internet is selected.

  • Click Custom Level and scroll down about half way to “Display mixed content” in the Miscellaneous section.

  • Change it from Prompt to Enable.

  • Click OK, Yes, and OK. The change should take effect immediately.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

71 comments on “Can I get rid of the "This page contains both secure and nonsecure items" warning?”

  1. I apoligize, My question was not clear enough for you to give me the answer I needed. I may have forgotten to mention that this notice isnt when I surf, but when I am answering emails online. It is when I op;en the email in the webmail box at Earthlink, always the message opens up a new window, then that window always asks the same question:

    Can I get rid of the “This page contains both secure and nonsecure items” warning? Not that I’m aware of, and not that I would want to. Not being notified is, in fact, a security risk when visiting sites you don’t already know and trust. For the sites you do trust … the message results from bad site design on their part.

    Thank you very much for taking the time to answer. I just used Netscape Mail today, and I noticed that it is not giving me that message there. Thank you again.

  2. Greg: if you’re reading your email via a web interface, then my comment still applies. Your Earthlink web interface appears to be showing both secure and nonsecure items at the same time. That’s bad design on their part.

  3. Great question! I am using a site that hasn’t been set up properly, and I get that annoying security message often!

    I am posting the solution to the issue here. I always support giving people all the info there is, and just warn then that they are subverting a security option. Then the user can make their own decision.

    There is a browser setting in IE6 to turn this off (not sure of earlier browsers). Check out Tools > Internet Options > Security > Custom Level > Miscellaneous > Display mixed content. By default its set to prompt, reset it to Enable.

    Of course, there are other browsers out there .. Netscape ( or Opera ( to name the two other most popular ones.


  4. Hi,
    On this issue, I am working on the development side of a website and I get this error very often on that website. I know it must be related to the bad design on the website. Could some tell me how to fix it? Your help is very much appreciated.

  5. I had the same problem. It was caused by a missing src attribute in the IFRAME tag. When you set the src, make sure it points to a real file.

    Hope this seves somebody’s time :)

  6. 1. Go to the top of your browser and click on Tools and select Internet Options.
    2. Click on the Security tab
    3. Click on the Custom Level button at the bottom
    4. In that top box, scroll down to the Miscellaneous section (look for the Internet Explorer icons next to the topics) and find where it says “Display Mixed Content”
    5. Click the Enable bubble to select that option
    Disable–you will not see the message anymore, nor will the nonsecure items be displayed
    Enable–you will not receive the message anymore, and the nonsecure items will be displayed on the page
    Prompt–you will receive the message everytime a website has both secure and nonsecure items on it (this is the current setting in the browser that causes you to receive the message every time).
    6. Once you have selected Enable, click on the OK button to close that window, and then click OK again to close the other window.
    7. You may need to close your browser and then reopen it to see the changes take effect

  7. That’s all well and good, but as a developer, how can I tell which things are being picked up as non-secure so that I can correct the issue? I’m going over code from a previous developer and for the life of me I can’t see any references to anything outside of our secure domain.

  8. Basically everything needs to be https … something isn’t. You might try firing up Firefox, and using the Web Developer extension … it allows you to look at various bits of information including the paths of objects on the page.

    Good luck!

  9. for developers:

    from a secure site .i.e https:// – where you reference the codebase for macromedia change the codebase=”…… to codebase=”….. and this will sort the problem out

  10. My problem is that I keep getting the “This page contains both secure and nonsecure items” warning even though “Enable” IS checked in the “Miscellaneous” section of the Security tab of Internet Options. Can anyone tell me what further step I must take to get rid of the nuisance warning?

  11. Leo, I found the answer. I discovered that, on the Security tab in Internet Options, I had to make this configuration under “Restricted Sites” also, not just under “Internet” or “Trusted Sites.” The problem occurred at where I play Monopoly. I like your site. Very nice that one doesn’t have to sign up or login to comment. Thank you very much.

  12. The problem is generally caused by an iframe on the page. iframes are used under popups to ensure that dropdowns don’t paint over the popup (another IE bug).

  13. To stop getting this message, do the following :
    1) Open the browser
    2) Go to Tools->Internet Options
    3) Click on the security tab.
    4) Click on Custom Level
    5) In this list, Look for ” Display Mixed Content” and click on enable
    6) Then look for “Launching programs and files in an IFRAME’ and click on enable.
    7) Click on OK and then OK again
    8) Close all Internet explorer windows

  14. Microsoft says this is a known issue and has issued a hotfix for it (I don’t know if it works and it also requires some registry tweaking), but its only good for Windows XP, 2000, etc, and does not apply to Windows ME and before. Guess which OS I have.
    I have enabled all the above mentioned and even enabled them in all the other zones and it still comes back.

  15. I just set the “Display Mixed Content” to enabled for all zones : Internet, Intranet, Trusted and Restricted sites and the warning has gone.

  16. Hi Leo,

    I am a site developer. There are good reasons why there may be a mix of secure and unsecure elements within a page. For example, within a secure part of a site i developed, i have references to google maps, who – as far as i’m aware – do not offer a secure equivalent to their service (and even if they do, other services don’t, so the argument prevails).

    Even if you implement the the “brute force” method of segregating all secure information from insecure information (which may not make sense to the user), and then designating every page (of hundreds of pages) as secure or unsecure, you may still have users receive the “you are entering/leaving a secure page” type of message. If there is a not-“bad site design” that can get around this issue, i’m not aware of it.

    And besides, users are already trusting me to properly handle their secure information. There are much easier ways for me to abuse that trust then to explicitly put links to unsecure services in my pages. This message is just a nuisance.

  17. Hi everybody..

    I was facing the same problem mencioned above.

    It was caused by an IFRAME I put on my page to have a DIV over a SELECT box. The problem was that my IFRAME didn’t have a secure SRC target (actually, it was left blank ;p), so it is treated as a “nonsecure item”.

    I just could get free from that boring message by adding a SRC URL to the IFRAME.

    I hope, it’ll be useful!

    Marcio Lima
    [Email Address Removed]

  18. hey leo,
    i have lost the microsoft word on my computer there is no sign of it how can i get it and i dont have the windows xp cd im in real trouble i need the word but i cant get it so plz can u help me.

  19. Thanks, Marcio. Not having a src was my problem. I added “blank.html” (nothing in the file except beginning and ending html tags) to the same folder as the file (so that it is within the secure site) and assigned the src attribute to it. Problem resolved!

    Thanks also to Leo for the good site and solution.


  20. Frankly, this is a stupid warning. It scares users for no reason. There is nothing wrong with having secure and unsecure content on your page. The problem is when your url in the address bar is secure but the form your submitting is unsecure. That’s when the warning should be displayed.

    There is a very seldom chance that you need to secure images on you page. I.e. Why would you ever need to secure your logo? It doesn’t make sense. There is no need to encrypt images, stylesheets, javascript.

    Using ssl only encrypts your content as it’s passing through the network. The reason why you would encrypt your content is because you don’t want people to see it if they’re sniffing. Yes, they won’t see the content with their packet sniffer, however, that is not good enough. They can just take the url and paste it in the browser. In order for your content to be truely secure you need to develop some authentication system around it. So that if someone tries to access your content such as an image it will prompt them for authentication. Putting authentication on every image on your page is “stupid” unless every image has critical information.

    This Internet Explorer feature vexes me.

  21. Marcio,

    I am facing similar problem, I have checked the IFRAME tag and its pointing to the correct SRC path. can you pls tell me what else or which other part of HTML is causing this error?

    how can i get rid of those errors? And most important – I dont want to change any settings of my IE.


  22. Hi Everyone !

    Same problem… I use Javascript to change the Iframe URL :
    Iframe.src = url; The url I get is for example : “index.php5?this=that”. This is relative. Is it secure or not ? Can the problem come from this?
    THX !


  23. oh, made mistake…
    I use XSL to Transform XML into HTML. In my xsl stylesheet, I have : “”
    I can’t take off this line, so I’m not sure this is the reason… oh oh i’m lost…

  24. “Tools” > “Internet Options”. Select the “Content” tab. Click the “Disable” button under “Content Advisor”.

  25. Not sure if it’s relevant. But my site was giving this error, until i’d made my ‘include’ folder run under SSL, as well as my main folder.
    So, check the code insecure links, and then double check all folders in the website are using ssl.

  26. The solution our company has entered into its FAQ is as follows —

    CAUSE: The page you are attempting to view is a secured site (note the https in the URL prefix) but it contains unsecured data.

    1. When you receive the error message, click Yes.
    2. In Internet Explorer, go to Tools, Internet Options, Security tab; make sure that in Select a Web content zone… that Internet is selected.
    3. Click Custom Level and scroll down about half way to Display mixed content in the Miscellaneous section.
    4. Change it from Prompt to Enable.
    5. Click OK, Yes, OK. The change should take effect immediately.

  27. This happens if you use secure google, but if you search the page, there are no “http://” connections present….so as someone pointed out, they must be linking to an “unsecure” image within one of their .js or .css files…

  28. In the “Select a zone…” window select Internet and Trusted (Local if you wish). If you only select Internet, then sites you add to your Trusted list will still warn you that it is a security risk.

    Me: Internet Explorer, I trust website [whatever].

    Internet Explorer: OK. Hey this “trusted” site has mixed content, are you sure you want to display it?

    Me: …

  29. Why not just select Disable? This is the setting I use and I have not noticed any problems. You can always change it back to enable if content is not displayed.

  30. How can I know which elements causes such warning. I have analyzed all elements in my page, and all elements in the page are access over https but still I get secured and nonsecure warning in IE6. I would appreciate if you can tell me some tool to analyze pages.

  31. Hi,

    I have experienced a security pop up on my website, each time I open a new page. Our site is over 1300 pages in size, this has caused some active members to vanish. What could I do to get rid of the SSL security error altogether, without having to ask each member to reconfigure their browser settings?

    I read somewhere about the https:// verses using http:// I am very new to this sort of thing. I would like a very secure website, although can there be such a thing as too secure?

    If you don’t respond, its okay.
    If you can check out my website, I would pay, LOL. I’m really getting frustrated with this. Its one stop write shop. I will add a link there for your business when our resource page is up and running, too. If you don’t mind, thank you.

    PS. I read the rules, so if you cannot keep my comment up, its okay. Just needing some help with this issue before I go bazerk. href=””>

  32. Jane’s comment (probably above mine), caught my eye because the same thing’s been happening when I go to login at yahoo.

    It’s really annoying, and I thought it was just me. Apparently not!
    Nice to know why it’s happening now, though.

  33. What I do not understand is how a site like can have both http:// and https:// links on a https:// page.
    When you go to their Sign In page you are brought to a secure page but the links surrounding the sign-in form are http:// can someone explain how this is done without that secure/unsecure items popup appearing? Thx.

  34. I get this (I think) because of a Flash element that I have placed on the page. The codebase URLs are http; not sure yet if there is a secure site to DL these codebases.

  35. Hi,


    Long story short, to eliminate, as a user, that annoying ‘secure or non-secured’ popup make sure to ENABLE ALL four occurences of Display Mixed Content, i.e.: Internet, Local Intranet, Trusted Sites, Restricted Sites.

    Worked like a charm.

    Good luck.


  36. I’m not an expert on this, but basically, if you pages pull non http content such as an image or a script, that error message will pop up.

    Basically, just ensure images don’t have full paths such as (img src=”http://somepath.gif”> and scripts aren’t included such as .

    Instead, replace all paths with relatives ones. This means they will adopt whichever http protocol currently in use. If, you have to specify a full path, try using https. However, keep in mind there will be advanced reason you will have to learn about why this may or may not work.

    There may also be other nonsecure elements I’m not thinking on your pages that might cause the popup.

    Best of luck.

  37. “This page contains both secure and nonsecure items” THANK you! This worked EXACTLY as the article described. And it was immediate. I opened a tab and surfed to a site I use MANY times daily where I got that inane prompt. I did not get it after following the aritcle simple steps. ALL “fixes” should be this easy and this effective!

  38. After reading the comments, I realized what
    was causing the problem. I am testing a new
    page on a secure web site. But I left my
    base anchor specification to point to a file on
    my local “C” drive.

    By changing my new page’s HREF in the element to point back to the website I was able to eliminate the nagging messages.

    I have references to both HTTP and HTTPS on my
    web page, all going back to the original website.
    It does not cause that nagging message. It probably (among other causes) occurs if the page has a reference is to some location outside of the website from which the origianl page comes.

  39. I tried all of the client side settings for Internet Explorer in these articles and none of it worked. What did fix the problem was re-creating the user’s profile on the machine. I realized this after logging myself into the workstation and let the user login to the sites that were getting the error and the error did not re-occur

  40. I tried the readers’ suggestion to change the ‘mixed content’ setting. It worked great! Thanks – this has been a nuisance with that annoying message on Amazon.

  41. I agree with the developer in that sometimes this is unavoidable and not necessarily bad design. This happens with google maps for me too.

    To resolve in IE7 with google maps issue, I have added both the main site AND the “nonsecure” site to trusted zones, and set the option appropriately.

    This means my trusted zones contains


    This means unchecking the “sites in this zone require https” option.

  42. Doesn’t work in IE 6.0.3790 – happens for me with a site that is in a Trusted zone, and for Trusted Sites, showing Mixed Content is already set to “Enable” (I checked). Need another theory.

  43. Ok, I am receiving the same dreaded message however as we are affliated with the Government, our Internet Security settings have been disabled. Now I have checked all through the source code (HTML, CSS and Javascript files) and all references to items are either relative or if they are absolute, they are https://…..

    Any suggestions? Please

  44. Hi All,
    I was able to get rid of the problem. Following are my comments or suggestions on this –
    1. If at all you are including other jsp, js, images and css files, do not specify the full URL like “http:\\ … “. Try giving the relative path / context path.
    2. If you are using IFRAME, donot miss to specify SRC attribute or leaving it empty. Give some blank page url atleast or hide it in the page.
    3. Changing the IE Settings to eliminate the alert does help, but this is not a correct solution. Client may come back and say he is not ready to do this. And more over what if the application is being used by 1000+ users. You cannot just shoot an email to all and because of these settings, they cannot view alerts from other secured sites too.

  45. 1) Open Internet Explorer

    2) Click on Tools

    3) Click on Internet Options

    4) Click on the Security Tab

    5) Click on the Custom Level button

    6) Under the Miscellaneous section look for “Display Mixed Content”

    7) Click on Disable for Display Mixed Content instead of Prompt

    8) Click on OK twice

    9) Close Internet Explorer and reopen

    10) Open the webpage that was displaying the warning message, the message should not appear now.

  46. it doesnt work. on ebay i get it constantly no matter whether its enabled or disabled. i just cant get rid of the bloody message. im not pc literate enuf to really sort out how tos ive seen other than the one on here and it doesnt work. im sick to death of the bloody message

  47. If the site that is giving you this message is a site you trust, then you can add the site to your trusted sites. Once it is added to the trusted sites, you can then make the recommended modification to your security settings, but do it for trusted sites instead of for the entire internet.

    Just a suggestion that may help get rid of an annoyance, and keep you a bit safer while surfing.

  48. what I do is capture the prefix of the current browser url up to the last slash, and everywhere where the url() image is specified in javascript, I place the prefix.


    var prefix = location.href.substring(0,location.href.lastIndexOf(“/”)+1); // prefix is to remove ssl warning contains nonsecure items.

    cell.innerHTML = “”

    The prefix has to be used everywhere. I mean EVERYWHERE a dynamic item is created using javascript and specifying the url() to an image.

  49. looks like the cell.innerHTML content was stripped.

    trying with lt and gt:

    cell.innerHTML = “<input type="button" style="background:url("+prefix+"images/fancybutton.jpg)">”;

  50. Thank You, Thank You, Thank You!!!!! This warning has been driving me nuts! Apparently the setting was changed by an IE8 Upgrade? as I just started getting them from sites that I had no problem accessing in the past. Just make sure you scroll down to the ” Display mixed content ” section before making the change. Worked like a charm Appreciate the help.

  51. Many thanks for that tip, works brilliantly. Yahoo have messed up their home page and for days i got that error message and had to keep clicking to get rid of it. Your instructions have stopped this and stopped me getting annoyed. Many thanks

  52. If I may: That’s an insecure change to make to your Internet Zone, but if it occurs for one or a few sites (like in my case) move ‘*’ into Trusted Sites first. Then, make the Display Mixed Content change to Enable in Trusted Sites. That leaves the policy in place for the great unwashed interwebs.


Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.