Mixed Content: HTTP Image on HTTPS Page
An HTTP image on an HTTPS page downgrades the security of the connection, triggers browser warnings, and can cause images to be blocked entirely.
Why it matters
An HTTP image on an HTTPS page downgrades the security of the connection, triggers browser warnings, and can cause images to be blocked entirely.
Fix this before publishing the next change. Critical signals frequently block indexing or cause measurable ranking loss. Estimated SEO impact: medium — measurable effect on click-through or relevance.
How to fix
- Change http:// to https:// in image URLs
- Or use protocol-relative URLs (//example.com/img.jpg)
- Enable Content-Security-Policy: upgrade-insecure-requests
Common causes
If the rule is firing across many pages, the root cause is almost always one of these:
- Mixed-content sub-resources from before HTTPS migration that escaped the rewrite.
- CDN or upstream proxy strips a security header that was set at the origin.
- Legacy redirects send HTTPS traffic through HTTP first.
- Test/staging hostnames leak into production HTML via hard-coded URLs.
Anti-patterns to avoid
Even with the best intentions, these "fixes" make the issue worse — recognise them so you don't ship them:
- Mixed HTTP/HTTPS resources after migration.
- Self-signed or expired certificates on production.
- Long-lived secrets in client-rendered HTML or JS bundles.
How atlookup detects this
Our crawler renders each page with a real headless browser, then inspects HTTPS state, response headers, mixed content, and certificate validity. Pages where the rule fires for mixed content: http image on https page are flagged on the report.
If you'd like to see this rule fire on your own site, run a free 60-second audit — every page is reported with the exact lines that triggered it.
Tools to verify the fix
Once you've applied the fix, double-check with these external validators:
- SSL Labs — Grades certificate + protocol configuration.
- securityheaders.com — Audits response headers against best practice.
Frequently asked questions
Why does Mixed Content: HTTP Image on HTTPS Page matter for SEO?
An HTTP image on an HTTPS page downgrades the security of the connection, triggers browser warnings, and can cause images to be blocked entirely.
How do I fix mixed content: http image on https page?
Change http:// to https:// in image URLs Or use protocol-relative URLs (//example.com/img.jpg) Enable Content-Security-Policy: upgrade-insecure-requests
Is this a critical SEO issue?
Fix this before publishing the next change. Critical signals frequently block indexing or cause measurable ranking loss. Estimated SEO impact: medium — measurable effect on click-through or relevance.
How does atlookup detect mixed content: http image on https page?
Our crawler renders each page with a real headless browser, then inspects HTTPS state, response headers, mixed content, and certificate validity. Pages where the rule fires for mixed content: http image on https page are flagged on the report.
How long does it take to fix?
5–15 minutes per page. Most teams batch similar issues across templates so the per-page time goes down at scale.
Related issues
FRAME_TAG_PRESENT
Deprecated frame/frameset Tag Present
<frame> and <frameset> are removed from HTML5 — not supported in modern browsers, bad for SEO, and catastrophic for accessibility.
FLASH_OBJECT_PRESENT
Flash Object on Page
Adobe Flash has been end-of-life since December 2020 — no browser runs it.
FORM_INSECURE_ACTION
Form Action Uses HTTP on HTTPS Page
A form that POSTs to an HTTP endpoint on an HTTPS page sends user data in the clear — a serious security and privacy failure.
MIXED_CONTENT_IFRAME
Mixed Content: HTTP iframe on HTTPS Page
HTTP iframes on HTTPS pages are blocked by modern browsers entirely — the embedded content simply does not render, breaking the user experience.