Mixed Content Test (HTTP over HTTPS)
What is it?
Mixed content occurs when an HTTPS page loads sub-resources such as images, scripts, stylesheets, or fonts over insecure HTTP. The insecure resource is exposed to interception, modification, and injection attacks, defeating the security HTTPS was meant to provide. Browsers treat it accordingly: insecure scripts and frames are blocked outright on most modern browsers, while insecure images and media may be blocked or trigger visible security warnings that break the page. This test scans the HTTPS page you are testing for mixed-content references and reports each one along with its source.
Why mixed content matters
The whole point of HTTPS is that the connection between the user and your server cannot be intercepted or modified by a third party. When an HTTPS page loads a sub-resource over HTTP, that resource is exposed to interception, modification, and injection attacks, defeating the security HTTPS was supposed to provide. Browsers therefore treat mixed content seriously: insecure scripts and frames are blocked entirely on most modern browsers, while insecure images and media may be blocked or trigger visible security warnings.
Mixed content is most often a legacy problem that surfaces after a site migrates from HTTP to HTTPS without updating all internal references. Hard-coded HTTP URLs in stored content, theme files, and third-party embeds continue to point at the old protocol even after the rest of the site has moved. Fixing them is largely a matter of finding and updating those URLs, which most CMS platforms can do in bulk.
Common sources of mixed content
- Hard-coded HTTP image URLs in content stored from before the HTTPS migration.
- Third-party scripts that only support HTTP: drop the script or contact the vendor for an HTTPS endpoint.
- Hot-linked images from HTTP sources: host the images yourself or proxy them through your own HTTPS-enabled CDN.
- Mixed content in CSS background images: update the URL inside the stylesheet, then bust the cache.
This test scans your page for mixed-content references and reports each one. The fix guide below covers updating stored URLs, the upgrade-insecure-requests CSP directive that automatically rewrites HTTP requests to HTTPS, and CDN-level features that handle the rewrite for you.
Pass rate:
-
Top 100 websites: 100%This value indicates the percent of top 100 most visited websites in the US that pass this test (in the past 12 months).
-
All websites: 96%This value indicates the percent of all websites analyzed in SEO Site Checkup (500,000+) in the past 12 months.
| 2021 | 100% |
|---|---|
| 2022 | 98% |
| 2023 | 98% |
| 2024 | 100% |
100
75
50
25
0
How do I fix it?
This test fails when an HTTPS page loads any sub-resources (images, scripts, stylesheets, or fonts) over insecure HTTP. Mixed content weakens the security guarantees of HTTPS, and modern browsers either block the resources outright or warn the user, often breaking the page in the process. Fixing this issue means updating every HTTP resource URL to HTTPS.
Where to make the change
- Application code or templates: search the codebase for
http://URLs insrc,href, and inline styles; replace each withhttps://or with a protocol-relative path. - WordPress: use a search-and-replace plugin to update
http://URLs in the database after enabling HTTPS, or rely on a dedicated SSL plugin to handle it. - CDN: most CDNs offer "Automatic HTTPS Rewrites" or similar features that upgrade insecure asset references on the fly.
Common causes and how to resolve them
- Hard-coded HTTP image URLs in content: rewrite stored URLs to HTTPS or use a relative path that inherits the page protocol.
- Third-party scripts that only support HTTP: drop the script (it should not be on a modern site) or contact the vendor for an HTTPS endpoint.
- Hot-linked images from HTTP sources: host the images yourself or proxy them through your own HTTPS-enabled CDN.
- Mixed content in CSS background images: update the URL inside the stylesheet, then bust the cache.
Best practices
- Add Content Security Policy: the
upgrade-insecure-requestsdirective automatically rewrites HTTP requests to HTTPS, which is a useful safety net. - Use the browser console to find offenders: mixed content warnings include the file and line of the offending request.
- Audit periodically: new content can reintroduce mixed content. Add an automated check to your CI or monitoring pipeline.
