What is upgrade-insecure-requests?

A CSP directive that tells browsers to automatically upgrade HTTP URLs to HTTPS before fetching them. A quick fix for mixed content.

Does mixed content affect SEO?

Indirectly. Mixed content removes the padlock, which can affect user trust. Google prefers fully HTTPS sites. Fix mixed content for best SEO.

Browser Mixed Content Warnings — HTTP Resources on HTTPS Page

Warningsecurity

Overview

Fix mixed content warnings and errors when an HTTPS page loads resources (scripts, images, iframes) over insecure HTTP, causing browser security warnings.

Key Details

Mixed content occurs when an HTTPS page includes resources loaded over HTTP
Active mixed content (scripts, iframes, CSS) is blocked by all modern browsers
Passive mixed content (images, audio, video) shows a warning but may still load
The padlock icon in the address bar is removed or shows a warning triangle
Content Security Policy (CSP) can enforce HTTPS for all resources

Common Causes

HTML containing http:// URLs for scripts, stylesheets, or images on an HTTPS page
Third-party widgets or ads loading resources over HTTP
CMS or application generating HTTP URLs instead of HTTPS
Legacy content with hardcoded HTTP URLs
CDN not configured for HTTPS delivery

Steps

1Find mixed content: open DevTools Console — warnings list the specific HTTP resources
2Change resource URLs from http:// to https:// or use protocol-relative //
3Add Content-Security-Policy: upgrade-insecure-requests header to auto-upgrade HTTP to HTTPS
4Update CMS settings to generate HTTPS URLs (WordPress: Settings > General > change to https)
5Use meta tag: <meta http-equiv='Content-Security-Policy' content='upgrade-insecure-requests'>