This site uses cookies and other tracking technologies to make possible your usage of the website, assist with navigation and your ability to provide feedback, analyse your use of our products and services, assist with our promotional and marketing efforts, and provide better user experience.

By using the website, you agree to our Privacy policy

Accept and continue

Report a bug

Cancel
352 28
How-to 6 min read September 20, 2019

What is mixed content and how to remove it from HTTPS-protected sites

Mixed content occurs when insecure elements are loaded over HTTP protocol to an SSL-protected page. An HTTPS page that contains any HTTP links is attackable which may influence SEO in a negative way.

What is mixed content on an HTTPS site

While applying HTTPS, it is essential to ensure only secure content on your site. Thus, all internal and external links to pictures, scripts, or other pages should be implemented relatively or over HTTPS protocol. It is recommended to apply links in a proportional form.

HTTPS pages are encrypted with TLS and protected from data theft. Mixed content makes your site fragile; it can undergo code altering if attacked. Subsequently, the connection fails to be secure.

In case an HTTPS page contains a link starting with http://, search systems identify it as "mixed content error" that degrades SEO.

According to W3C specification, browsers report warnings about pages with mixed content:
A warning about unsafe content in the browser
This error can be screened in Mozilla developer tools or in JavaScript console in Google Chrome tools.

Error warning in Chrome:
Mixed content warning in Google Chrome
Error warning in Mozilla:
Mixed content warning in Mozilla Firefox

Mixed content types

There are two groups of mixed content, passive and active.
1
Passive mixed content includes generally accessible elements that do not allow obtaining any kind of confidential or financial data when hacked.

Stealing such data via an insecure protocol cannot bring financial gains to fraudsters. All they can succeed to do is garbling your site by changing this content.

Passive mixed content includes pictures, audio files, video materials, and other elements that intruders may replace with hard-hitting files, thus disrupting the resource's normal course of work.
2
Active mixed content includes scripts and frames that can seriously harm the site and its users if stolen. Src attributes of <script> and <iframe> tags are the foremost elements that refer to this type of content. Other endangered features are:

  • href attribute of <link> tag;
  • data attribute of <object> tag;
  • URL parameter in CSS styles;
  • XTMLHttpRequest including its queries.

In theory, this kind of mixed content may allow hackers to seize personal data, passwords, bank card numbers, etc. Even if users type in confidential information on a secure page, fraudsters can use scripts to arrange redirection to an unsafe resource where this important data will be stolen.

It is strongly recommended to avoid entering plastic card data if you have the slightest doubt about the site security.

Detecting and preventing insecure content on HTTPS pages

Using browser developer tools to check a big resource that contains a large number of pages is very hard work. In order to automate and simplify this process, you can use "Site audit" module by Serpstat. Open "HTTPS Certificate" section of the summary report:
HTTPS sertificate errors in Serpstat's site audit tool
The report points out the errors related to mixed content. Let us examine the provided example in detail.
1
Invalid links from HTTPS to HTTP pages.

This error may be corrected by changing HTTP to HTTPS in internal links on the indicated pages.
HTTPS pages link to insecure HTTP pages
2
Use of HSTS support.

This error type is attributed to web server peculiarities. To dismiss the error, you need to address hosting provider service to learn if it approves of using HSTS. The algorithm enables automatic transfer to the secure protocol even if a user starts entering a link with http://.
Using HSTS support on the site
3
Insecure elements on the page.

If this type of error was reported, inspect the identified pages for any links starting with http:// and replace them with https://. In case these links transfer users to HTTP pages, you should download only the necessary information from such resources.

For example, it is better to upload required pictures or scripts to your own site instead of using links that lead to insecure sites. The next step is to replace the undesirable links to relevant ones or enable HTTPS protocol.
Mixed content on the site
4
In addition, by using Serpstat report, you can find the insecure links included to the sitemap and find out if your project still contains any HTTP pages.
5
Besides, the site can be checked by any scanning program like SEO Frog which may also provide a total list of links with http and https applied in your site.

Conclusion

Mixed content undermines site appearance and SEO; for this reason, it should be timely detected and removed. It contributes to SEO, helps to dismiss browser warnings, and ensures user security.

All browsers are obliged to inform users in case a site contains insecure elements; potential visitors may prefer a competitor site that provides safe content.

You can turn to developer tools to detect the problems manually; however, it may take very much time. A quicker way to get detailed data concerning the incorrect use of HTTPS is using Serpstat.

A resource should be scanned for insecure links shortly after the site was created or protected by https.

In order to deal with errors, you should replace the links with https:// variant or upload required files directly to your server after downloading necessary information from other sites and then use relative links.
This article is a part of Serpstat's "Site Audit" tool
SEO Audit in Serpstat
Audit all the site or page in one click. A complete list of errors, sorted by severity, ways to resolve them and recommendations. Any frequency of verification and automatic email reports.
Run Site Audit

Learn how to get the most out of Serpstat

Want to get a personal demo, trial period or bunch of successful use cases?

Send a request and our expert will contact you ;)

Rate the article on a five-point scale

The article has already been rated by 1 people on average 4 out of 5
Found an error? Select it and press Ctrl + Enter to tell us

Share this article with your friends

Sign In Free Sign Up

You’ve reached your query limit.

Or email
Forgot password?
Or email
Back To Login

Don’t worry! Just fill in your email and we’ll send over your password.

Are you sure?

Awesome!

To complete your registration you need to enter your phone number

Back

We sent confirmation code to your phone number

Your phone Resend code Queries left

Something went wrong.

Contact our support team
Or confirm the registration using the Telegram bot Follow this link
Please pick the project to work on

Personal demonstration

Serpstat is all about saving time, and we want to save yours! One of our specialists will contact you and discuss options going forward.

These may include a personal demonstration, a trial period, comprehensive training articles & webinar recordings, and custom advice from a Serpstat specialist. It is our goal to make you feel comfortable while using Serpstat.

Name

Email

Phone

We are glad of your comment
Upgrade your plan

Upgrade your plan

Export is not available for your account. Please upgrade to Lite or higher to get access to the tool. Learn more

Sign Up Free

Спасибо, мы с вами свяжемся в ближайшее время

Invite
View Editing

E-mail
Message
Optional
E-mail
Message
Optional

You have run out of limits

You have reached the limit for the number of created projects. You cannot create new projects unless you increase the limits or delete existing projects.

I want more limits