Mixed Content: Why You Shouldn’t Use HTTP Content on Your HTTPS Website
In this blogpost
Upgrading your website to Hypertext Transfer Protocol Secure (HTTPS) can protect it from cyber threats by encrypting its data in transit. Once upgraded, any data that’s sent to or by your website will be encrypted using a Transport Layer Security (TLS) certificate. The TLS certificate will essentially scramble data in transit so that it’s only decipherable by the appropriate users.
Even if your website has a TLS certificate installed and activated, though, it may use load some of its content over a Hypertext Transfer Protocol (HTTP) connection. A design flaw known as mixed content, it poses several concerns for your website.
What Is Mixed Content?
Mixed content involves an HTTPS web page loading some of its content over an HTTP connection. Web pages typically consist of more than just a Hypertext Markup Language (HTML) file; they may contain images, videos, scripts, stylesheets and other types of content. If an HTTPS web page loads any of its content over an HTTP connection, it has mixed content.
There are two primary types of mixed content found on websites: passive and active. The former consists of HTTP-loaded content that doesn’t interact with the web page where it’s published, whereas the latter consists of HTTP-loaded content that does interact with the web page where it’s published.
Images and videos don’t interact with web pages, so they are classified as passive mixed content. Scripts and stylesheets, on the other hand, can change the layout or functionality of web pages, so they are classified as active mixed content.
What Causes Mixed Content?
In most cases, mixed content is the result of an incomplete migration from HTTP to HTTPS. When you migrate your website to HTTPS, you must change the URLs of its loaded content so that they feature the “https” prefix. For example, if an image is located at “http://example.com/category/image-name.jpg,” you’ll need to change its location to “https://example.com/category/image-name.jpg.”
Adding a single letter to an image’s location might sound insignificant, but it tells your website to load that image over an HTTPS connection. If an image uses the standard “http” prefix in its location address, it will load for visitors over an HTTP connection, instead.
Of course, this rule applies to all forms of content that users must load when visiting your website. Each piece of loaded content has an URL denoting its location. For a complete migration from HTTP to HTTPS, you must update all of these URLs. Otherwise, your website will have mixed content.
The Dangers of Mixed Content
Allowing mixed content to go unnoticed can lead to numerous problems. For starters, it may prevent your website from displaying the secure padlock icon next to its domain name. Web pages with mixed content use a mixture of both HTTP and HTTPS connections, so they aren’t fully secure. Upon loading a page of mixed content, visitors will encounter a “not secure” message in their browser’s address bar rather than the secure padlock icon.
Web browsers often block mixed content by default. Firefox for instance, automatically blocks all active mixed content by default, whereas Chrome blocks both active and passive mixed content by default. Visitors can still access mixed content on your website, but they’ll have to select the option in their web browser to load the insecure content. Because web browsers warn users about the dangers of mixed content, however, most users will probably exit your website rather than allowing it to load.
Since it loads over an HTTP connection, mixed content leaves your website susceptible to hacking. HTTPS is designed to create a secure connection between your website and the users who visit it. When a user downloads data from or uploads data to your website, HTTPS will encrypt it. Mixed content loads over an HTTP connection, so any exchanged data associated with it isn’t encrypted.
Active mixed content is a major security risk that hackers can exploit for malicious purposes. If a hacker taps into the connection between your website’s visitors and a piece of active mixed content, he or she may change your site’s appearance or functionality. A script-based login form might be changed to a fake login form that steals visitors’ credentials, or your entire website could be redirected to a nefarious spam website.
Passive mixed content is of lesser concern since it doesn’t interact with web pages, but you should try to avoid it nonetheless. Images that load over an HTTP connection, for instance, can be changed. A hacker might replace an image on your website with an ad. Rather than seeing the actual image, users will see the hacker’s ad when they load the web page.
Finally, mixed content may negatively affect your website’s search rankings. HTTPS is a direct ranking signal deployed by Google’s algorithm. Mixed content breaks HTTPS by loading some content over an HTTP connection. HTML files may still load over an HTTPS connection, but the mixed content will use an insecure protocol that lacks the encryption technology of HTTPS. Therefore, Google may give your website lower rankings if it has mixed content.
How to Identify Mixed Content on Your Website
You can find mixed content on your website simply visiting its web pages and looking for a warning message in your web browser. It’s recommended that you use Chrome for this purpose since the Google-branded browser blocks both passive and active mixed content. If a page contains mixed content, Chrome will block it while displaying a warning message near the address bar. Go through each web page on your website to determine which ones trigger a mixed content warning message.
An easier way to identify mixed content on your website is to use JitBit’s HTTPS-checker tool. Available at jitbit.com/sslcheck, it will crawl up to 400 of your website’s pages in search of mixed content. If your website has any mixed content, JitBit’s tool will reveal it.
Every piece of loaded content on your website needs to use an HTTPS connection. If any content loads over an HTTP connection, your website will have mixed content that harms its traffic, security and rankings.
Was this post helpful?
Last Updated in 2022-03-05T14:33:37+00:00 by Lukasz Zelezny