top of page
Writer's pictureBrent D. Payne

Mixed content (loads HTTP resources on HTTPS URL)

The webpage is accessed via a secure HTTPS connection, but it harbors elements fetched through an insecure HTTP protocol.


Why is this important?

This occurrence is termed 'mixed content' and occurs when both secure (HTTPS) and non-secure (HTTP) elements are served to form a single page, compromising the integrity of the page's security. Such practice can expose users to man-in-the-middle attacks, compromising confidential data.


What does the Optimization check?

The Optimization activates when an internal HTTPS webpage incorporates any HTTP-linked resources, which can include:

  • link tags referencing stylesheets

  • HTML with a manifest attribute

  • external script files

  • image sources

  • images within srcset attributes

  • iframe embeds

  • audio files

  • video elements

  • sources for video and audio

  • image inputs

  • embedded resources

  • object elements with data attributes

Examples that trigger this Optimization

An example URL: https://example.com/page-a would set off this Optimization if it includes any HTTP resource link:

For a JavaScript file:

<script src="http://httpbin.org/tracker.min.js" type="text/javascript" async></script>


For a CSS file:


For an image:


How do you resolve this issue?

This Optimization is designated 'Critical' due to the severity of the impact it can have on your site's search traffic and user trust. It is imperative to address such vulnerabilities with urgency.


Resources on your pages should be loaded using only HTTPS URLs. For any HTTP resource links, update them to their secure HTTPS versions.


If the resources are not available over HTTPS, you can:

  • Source the content from an alternative provider offering HTTPS.

  • Host the material on your own domain after ensuring it complies with copyright law.

  • Omit the inclusion of the specific resource on your website.

Further reading

6 views
bottom of page