Form Action Uses HTTP on HTTPS Page

A form that POSTs to an HTTP endpoint on an HTTPS page sends user data in the clear — a serious security and privacy failure.

Why it matters

A form that POSTs to an HTTP endpoint on an HTTPS page sends user data in the clear — a serious security and privacy failure.

Fix this before publishing the next change. Critical signals frequently block indexing or cause measurable ranking loss. Estimated SEO impact: high — direct effect on rankings or impressions.

How to fix

• Update the form's action URL to https://
• Add Content-Security-Policy: form-action https:

Common causes

If the rule is firing across many pages, the root cause is almost always one of these:

• Mixed-content sub-resources from before HTTPS migration that escaped the rewrite.
• CDN or upstream proxy strips a security header that was set at the origin.
• Legacy redirects send HTTPS traffic through HTTP first.
• Test/staging hostnames leak into production HTML via hard-coded URLs.

Anti-patterns to avoid

Even with the best intentions, these "fixes" make the issue worse — recognise them so you don't ship them:

• Mixed HTTP/HTTPS resources after migration.
• Self-signed or expired certificates on production.
• Long-lived secrets in client-rendered HTML or JS bundles.

How atlookup detects this

Our crawler renders each page with a real headless browser, then inspects HTTPS state, response headers, mixed content, and certificate validity. Pages where the rule fires for form action uses http on https page are flagged on the report.

If you'd like to see this rule fire on your own site, run a free 60-second audit — every page is reported with the exact lines that triggered it.

Tools to verify the fix

Once you've applied the fix, double-check with these external validators:

• SSL Labs — Grades certificate + protocol configuration.
• securityheaders.com — Audits response headers against best practice.

Frequently asked questions

Related issues