If you see the locked padlock in your URL bar, then they can’t change the content at all because the content is encrypted from your device all the way back to the web server the page is hosted on. That is, if you trust the integrity of the certificate issuer. I’m looking at you, Symantec. I really need to enable SSL on this and lots of other sites I take care of. It is absolutely something that needs to happen in 2017 and with sites like Let’s Encrypt, it’s even free! Although, if your “secure” connection ends/ended up at a server that is/was a part of the NSA PRISM program then you’re out of luck anyway because they just look at your info after it is decrypted at the head end. Good lord, that was a bit of a tangent. I’m on a list now.