Mixed content

Once a page is served over HTTPS, every resource it loads must also use HTTPS. A single HTTP asset triggers a mixed-content warning.

What it is

Mixed content happens when a secure page references images, scripts, styles, or iframes over plain HTTP. Browsers block active mixed content and flag passive mixed content.

Why it matters for SEO

Blocked scripts and styles break layout and functionality, and the lost padlock erodes trust. Security signals factor into rankings, so warnings can suppress visibility.

Example

<!-- Page served over https:// -->
<img src='http://example.com/logo.png'>
<script src='http://cdn.example.com/app.js'></script>

How to fix

1. Update every asset URL to https:// (or protocol-relative //).
2. Replace third-party resources that lack HTTPS.
3. Add Content-Security-Policy: upgrade-insecure-requests to auto-upgrade legacy links.
4. Re-scan to confirm no HTTP sub-resources remain.

Related checks

• Invalid SSL certificate
• Non-200 HTTP status
• Site not served over HTTPS

← Knowledge base