Deutsch
English
Mixed Content
Mixed Content refers to a security vulnerability that occurs when an HTTPS website (secure connection) loads resources over HTTP (insecure connection). This creates a security risk and can have negative impacts on SEO and user experience.
What is Mixed Content?
Definition and Fundamentals
Mixed Content occurs when:
- The main page is loaded over HTTPS
- But images, stylesheets, JavaScript files or other resources are retrieved over HTTP
- This results in a "mixed" security situation
Types of Mixed Content
Passive Mixed Content
Passive Mixed Content includes resources that cannot actively modify the page:
- Images (JPG, PNG, GIF, SVG)
- Audio files (MP3, WAV)
- Video files (MP4, WebM)
- CSS decorations
Active Mixed Content
Active Mixed Content includes resources that can actively modify the page:
- JavaScript files
- Stylesheets (CSS)
- iFrames
- XMLHttpRequests
- WebSockets
Impact on SEO
Google Ranking Factors
Factor
Impact
SEO Relevance
HTTPS as Ranking Signal
Reduced Security Rating
High
Core Web Vitals
Loading times due to blocking
High
User Experience
Browser warnings
Medium
Mobile Usability
Function failures
High
Browser Behavior
Modern browsers react differently to Mixed Content:
- Chrome/Edge: Blocks active Mixed Content, warns about passive
- Firefox: Similar behavior to Chrome
- Safari: Strict blocking of all Mixed Content
- Mobile browsers: Often more restrictive than desktop versions
Common Causes
Content Management Systems
- WordPress: Plugins load external resources over HTTP
- Shopify: Third-party apps with insecure connections
- Drupal: Modules with outdated HTTP links
External Services
- CDN Configuration: Incorrect protocol settings
- Analytics Tools: Google Analytics over HTTP
- Social Media Widgets: Facebook, Twitter Embeds
- Advertising: Ad networks with HTTP resources
Development Errors
- Hardcoded HTTP URLs in templates
- Relative protocol URLs (//example.com)
- Outdated libraries with HTTP dependencies
Detection and Diagnosis
Browser Developer Tools
Chrome DevTools:
- Open Security tab
- Check "Mixed Content" section
- Monitor console for warnings
Firefox Developer Tools:
- Activate Web Console
- Filter for "Mixed Content"
- Check Network tab for HTTP requests
SEO Tools
Google Search Console:
- Security Issues Report
- HTTPS Coverage Report
- Mobile Usability Issues
Screaming Frog:
- Configuration → Spider → Crawl → HTTPS
- Activate "Mixed Content" filter
- Analyze external resources
Solution Approaches
1. Protocol-Relative URLs
Problem:
<img src="http://example.com/image.jpg" alt="Image">Solution:
<img src="//example.com/image.jpg" alt="Image">2. HTTPS Upgrade for External Resources
Steps:
- Check external services: Do they support HTTPS?
- Validate SSL certificates: Are they valid and trustworthy?
- CDN configuration: Enable HTTPS for all resources
- API endpoints: Switch to HTTPS
3. Content Security Policy (CSP)
Implement CSP header:
Content-Security-Policy: upgrade-insecure-requestsBenefits:
- Automatic upgrade from HTTP to HTTPS
- Protection against Mixed Content
- Better security control
4. Server-side Solutions
Apache (.htaccess):
RewriteEngine On
RewriteCond %{HTTPS} on
RewriteCond %{HTTP_HOST} ^(www\.)?example\.com$
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]Nginx:
server {
listen 443 ssl;
server_name example.com;
location / {
add_header Content-Security-Policy "upgrade-insecure-requests";
}
}Best Practices
Development
- HTTPS-First Development: Local development with HTTPS
- Relative protocol URLs: Use // instead of http://
- Automated Testing: Mixed Content in CI/CD pipeline
- Code Reviews: Check HTTP URLs in pull requests
Monitoring
Regular audits:
- Weekly Mixed Content scans
- Automated alerts for new problems
- Quarterly security reviews
Tools for continuous monitoring:
- Lighthouse: Automatic Mixed Content tests
- WebPageTest: Measure performance impact
- Custom Scripts: Regular website scans
Avoiding Common Mistakes
1. Outdated Plugins and Themes
Solution:
- Regular plugin updates
- Choose HTTPS-compatible alternatives
- Check plugin code for HTTP URLs
2. External Resources without HTTPS
Problem:
<script src="http://external-site.com/script.js"></script>Solution:
<script src="https://external-site.com/script.js"></script>3. Hardcoded URLs in Databases
Problem: URLs stored in database with http://
Solution: Database migration for HTTPS URLs
Testing and Validation
Browser Tests
Test scenarios:
- Different browsers: Chrome, Firefox, Safari, Edge
- Mobile devices: iOS Safari, Android Chrome
- Different networks: WiFi, Mobile Data
- Incognito mode: Without cached content
Automated Tests
Lighthouse CI:
lighthouse https://example.com --only-categories=best-practicesCustom Test Script:
// Mixed Content Detection Script
const checkMixedContent = () => {
const resources = performance.getEntriesByType('resource');
const httpResources = resources.filter(r => r.name.startsWith('http://'));
return httpResources.length === 0;
};Performance Aspects
Loading Time Impact
Mixed Content can negatively impact loading time:
Resource Type
Blocking
Performance Impact
JavaScript
Complete
High
CSS
Complete
High
Images
Partial
Medium
Fonts
Complete
High
Core Web Vitals
Largest Contentful Paint (LCP):
- Blocked resources delay LCP
- Especially critical for above-the-fold content
Cumulative Layout Shift (CLS):
- Missing stylesheets cause layout shifts
- Images don't load or load with delay
Migration to HTTPS
Step-by-Step Guide
- Conduct audit: Identify all HTTP resources
- Check external services: Test HTTPS availability
- Adapt code: Switch URLs to HTTPS
- Testing: Comprehensive tests in different browsers
- Monitoring: Set up continuous monitoring
Rollback Plan
In case of problems:
- Immediate response: Temporarily restore HTTP resources
- Root Cause Analysis: Identify and fix problem
- Re-test: Test solution in staging environment
- Gradual introduction: Gradual migration instead of big bang