Mixed Content: HTTP iframe on HTTPS Page
HTTP iframes on HTTPS pages are blocked by modern browsers entirely — the embedded content simply does not render, breaking the user experience.
Why it matters
HTTP iframes on HTTPS pages are blocked by modern browsers entirely — the embedded content simply does not render, breaking the user experience.
Fix this before publishing the next change. Critical signals frequently block indexing or cause measurable ranking loss. Estimated SEO impact: high — direct effect on rankings or impressions.
How to fix
- Update the iframe src to https://
- If the destination does not support HTTPS, find an alternative
Common causes
If the rule is firing across many pages, the root cause is almost always one of these:
- Mixed-content sub-resources from before HTTPS migration that escaped the rewrite.
- CDN or upstream proxy strips a security header that was set at the origin.
- Legacy redirects send HTTPS traffic through HTTP first.
- Test/staging hostnames leak into production HTML via hard-coded URLs.
Anti-patterns to avoid
Even with the best intentions, these "fixes" make the issue worse — recognise them so you don't ship them:
- Mixed HTTP/HTTPS resources after migration.
- Self-signed or expired certificates on production.
- Long-lived secrets in client-rendered HTML or JS bundles.
How atlookup detects this
Our crawler renders each page with a real headless browser, then inspects HTTPS state, response headers, mixed content, and certificate validity. Pages where the rule fires for mixed content: http iframe on https page are flagged on the report.
If you'd like to see this rule fire on your own site, run a free 60-second audit — every page is reported with the exact lines that triggered it.
Tools to verify the fix
Once you've applied the fix, double-check with these external validators:
- SSL Labs — Grades certificate + protocol configuration.
- securityheaders.com — Audits response headers against best practice.
Frequently asked questions
Why does Mixed Content: HTTP iframe on HTTPS Page matter for SEO?
HTTP iframes on HTTPS pages are blocked by modern browsers entirely — the embedded content simply does not render, breaking the user experience.
How do I fix mixed content: http iframe on https page?
Update the iframe src to https:// If the destination does not support HTTPS, find an alternative
Is this a critical SEO issue?
Fix this before publishing the next change. Critical signals frequently block indexing or cause measurable ranking loss. Estimated SEO impact: high — direct effect on rankings or impressions.
How does atlookup detect mixed content: http iframe on https page?
Our crawler renders each page with a real headless browser, then inspects HTTPS state, response headers, mixed content, and certificate validity. Pages where the rule fires for mixed content: http iframe on https page are flagged on the report.
How long does it take to fix?
5–15 minutes per page. Most teams batch similar issues across templates so the per-page time goes down at scale.
Related issues
FRAME_TAG_PRESENT
Deprecated frame/frameset Tag Present
<frame> and <frameset> are removed from HTML5 — not supported in modern browsers, bad for SEO, and catastrophic for accessibility.
FLASH_OBJECT_PRESENT
Flash Object on Page
Adobe Flash has been end-of-life since December 2020 — no browser runs it.
FORM_INSECURE_ACTION
Form Action Uses HTTP on HTTPS Page
A form that POSTs to an HTTP endpoint on an HTTPS page sends user data in the clear — a serious security and privacy failure.
MIXED_CONTENT_SCRIPT
Mixed Content: HTTP Script on HTTPS Page
HTTP scripts on HTTPS pages are blocked by all modern browsers — the script never runs, often breaking analytics, widgets, or core functionality.