HTTPS pages that load resources (like images, scripts, or stylesheets) over HTTP create mixed content. This undermines security, can break page functionality, a
By Seoxpert Editorial · Published · Updated
Mixed content weakens the security guarantees of HTTPS. Browsers may block scripts, styles, or even images loaded over HTTP, resulting in broken layouts, missing functionality, and visible security warnings. This erodes user trust and can negatively impact SEO rankings.
Pages with mixed content can have broken features, missing images, or non-functional scripts. Users may see security warnings, which can deter them from staying on or interacting with your site. Search engines may also penalize sites with persistent security issues, harming visibility.
Mixed content issues are typically detected using browser developer tools (Console tab), automated SEO or security crawlers, or by observing browser warnings when loading pages. Tools like Lighthouse, Chrome DevTools, or security scanners can highlight these problems.
Problem: HTTP image on HTTPS page
<img src="http://example.com/image.jpg" alt="Example">Fix: Use HTTPS image URL
<img src="https://example.com/image.jpg" alt="Example">Fix: Use protocol-relative URL
<img src="//example.com/image.jpg" alt="Example">Fix: Content-Security-Policy header to upgrade insecure requ
Content-Security-Policy: upgrade-insecure-requests;Mixed content occurs when an HTTPS page loads resources (like images, scripts, or stylesheets) over HTTP. This undermines the security of the page, can break functionality, and causes browsers to display warnings or block resources.
You can use browser developer tools (Console tab) to see mixed content warnings. Automated tools like Lighthouse, Chrome DevTools audits, or online mixed content scanners can also identify these issues across your site.
Ignoring mixed content can result in broken functionality (e.g., scripts or styles not loading), missing images, and visible security warnings to users. This damages user trust and can negatively impact your SEO.
Yes, protocol-relative URLs (starting with //) will load resources over the same protocol as the page. However, it's generally safer to use explicit https:// URLs to avoid ambiguity and ensure secure loading.
If a third-party resource does not support HTTPS, you should look for an alternative provider that does, or host the resource yourself over HTTPS if the license allows. Loading HTTP resources on HTTPS pages is not recommended.
The upgrade-insecure-requests directive tells browsers to automatically upgrade HTTP resource requests to HTTPS. This can help fix mixed content issues without changing every URL, but only works if the resource is available over HTTPS.
Pages delivered over plain HTTP expose user data, reduce trust, and receive a Google ranking penalty.
Missing recommended HTTP security headers leaves your site vulnerable to a range of attacks, including clickjacking, MIME-sniffing, and cross-site scripting (XS
Run a scan to see if HTTPS Pages Reference HTTP Resources (Mixed Content) affects your pages.
Scan my website →