Mixed content jQuery ajax HTTPS request has been blocked on Laravel

Stefan Bogdanescu

Founder & Senior Architect · 2026-06-29

Laravel Company

Mixed Content jQuery AJAX HTTPS Request Has Been Blocked on Laravel: A Deep Dive Debugging Guide

I want to start by acknowledging the frustration. Encountering "Mixed Content" errors, especially when dealing with dynamic asynchronous requests like jQuery AJAX in a modern secure environment (HTTPS), is an incredibly common and maddening debugging challenge. It feels like a simple mismatch, but the root cause often lies deep within server configuration, routing logic, or browser security policies.

You've provided a great snapshot of the problem: your main page loads over HTTPS, but an AJAX call attempts to hit an insecure HTTP endpoint, leading to the request being blocked by the browser. As a senior developer, we need to move beyond simple guesses and apply systematic debugging steps.

Here is a comprehensive guide on why this happens in a Laravel context and how to effectively debug and resolve it.


Understanding the Mixed Content Block

The core issue stems from the Same-Origin Policy enforced by modern browsers. When a page loads over HTTPS, the browser strictly enforces that all subsequent resources (images, scripts, and AJAX requests) must also be served over HTTPS. If your JavaScript attempts to call an http:// URL while running on https://, the browser immediately blocks the request to prevent potential security vulnerabilities and maintain content integrity.

In your specific case, the error message clearly states: "The page at 'https://example.com/fb/reports' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://example.com/fb/json?...'". This confirms that somewhere in the request chain—either the URL constructed by jQuery or how Laravel resolves the route—an HTTP protocol is being used instead of HTTPS.

Analyzing the Laravel and jQuery Implementation

Let's look at your provided code:

var relUrl = '/fb/json/';
// ... payload setup
return $.ajax({
    type: 'GET',
    dataType: 'json',
    data: payload,
    url: relUrl, // This is relative: /fb/json/
    headers: {
        'X-CSRF-TOKEN': $('meta[name="csrf-token"]').attr('content')
    }            
});

When you use a relative URL like /fb/json/, the browser resolves it relative to the current document's protocol. If the document is HTTPS, the request should be HTTPS. However, if the underlying server configuration or proxy setup (like Cloudways) is misconfigured, or if Laravel's routing layer incorrectly forces an HTTP response for that specific route, the mixed content error persists.

Debugging Steps

Since you have already tried changing the URL structure and investigating authentication layers, we need to focus on the server-side interaction:

1. Inspect Network Traffic (The Crucial Step)

Use your browser's Developer Tools (F12) and go to the Network tab. Trigger the AJAX request and examine the specific failed request. Look closely at the Request URL and the Response headers. This will definitively tell you what URL the browser is attempting to reach, regardless of what the JavaScript code reports.

2. Examine Laravel Routes and Controllers

If your routes are set up in routes/web.php or routes/api.php, ensure that any route handling this specific endpoint is correctly prefixed or configured for HTTPS access. When setting up APIs, adhering to best practices outlined in documentation like the official Laravel documentation regarding routing is essential.

If you are using custom middleware or proxies on your Cloudways server, these configurations can sometimes inadvertently strip or modify the protocol information before it reaches the end-user's browser.

3. Server Logs and Proxy Interference

Since you suspect Cloudflare or the server environment:

  • Tail Logs: As you suggested, logging into your server via SSH and tailing the relevant error logs (e.g., PHP error logs, web server access/error logs) is critical. Look for errors related to SSL negotiation or redirection failures that occur precisely when the AJAX request is attempted.
  • Cloudflare Check: While unlikely if other requests work, check Cloudflare's SSL settings and any WAF (Web Application Firewall) rules, as they can sometimes inject protocol-level restrictions that interfere with client-side requests.

The Recommended Solution: Enforcing HTTPS via Laravel

If the issue is indeed a server misconfiguration causing HTTP responses to be sent for an endpoint that should be secure, the fix must happen on the backend. Ensure that all routes handling data retrieval are secured and configured consistently.

For robust API development in Laravel, always treat your endpoints as secure resources. If you are using custom domain setups or complex proxy chains, ensure that the server configuration is explicitly forcing HTTPS internally before routing to the application layer. Stick strictly to official methods for setting up your application structure; keeping things clean aligns perfectly with the principles taught by Laravel.

Conclusion

The "Mixed Content" error in this context is rarely a simple client-side bug; it’s usually a symptom of an underlying protocol mismatch between the client's expectation (HTTPS) and the server’s delivery (HTTP). By systematically checking the Network tab, scrutinizing your Laravel routes, and examining the server logs, you can pinpoint whether the issue lies in how jQuery constructs the URL or how your Laravel application serves the response. Debugging requires moving from assumption to concrete evidence, and following this process will lead you to a stable and secure implementation.