Do not link from HTTPS to HTTP
Detects links from HTTPS pages to HTTP destinations, which trigger mixed content warnings and lose ranking signals
- All internal links on an HTTPS page must point to HTTPS URLs — HTTP links trigger mixed content warnings
- External links to HTTP destinations break the security chain and may be blocked by browsers
- Use protocol-relative URLs (`//example.com`) or absolute HTTPS URLs — never hardcode `http://` for internal links
Rule Details
When a page is served over HTTPS, every link and resource on that page should also use HTTPS. Google's HTTPS guidance (opens in new tab) and MDN's mixed-content reference (opens in new tab) make protocol mismatches both a trust problem and a technical SEO problem.
Code Examples
❌ Avoid — HTTP link from an HTTPS page
<!-- Page served at https://yoursite.com -->
<a href="http://yoursite.com/about">About Us</a>
<!-- Triggers redirect; sends wrong protocol signal -->
<a href="http://partner.example.com/offer">View Offer</a>
<!-- Mixed context; browser may warn -->❌ Avoid — HTTP resource on HTTPS page
<!-- These will be blocked by modern browsers -->
<script src="http://cdn.example.com/analytics.js"></script>
<img src="http://images.example.com/logo.png" alt="Logo">✅ Correct — relative or HTTPS links
<!-- Internal links: use relative paths -->
<a href="/about">About Us</a>
<!-- Internal links: use absolute HTTPS if needed -->
<a href="https://yoursite.com/about">About Us</a>
<!-- External links: verify the destination supports HTTPS -->
<a href="https://partner.example.com/offer" rel="noopener noreferrer">View Offer</a>
<!-- Resources: always HTTPS -->
<script src="https://cdn.example.com/analytics.js"></script>
<img src="https://images.example.com/logo.png" alt="Logo">✅ Protocol-relative URLs for third-party scripts (legacy approach)
<!-- Protocol-relative: inherits the page's protocol -->
<!-- Note: prefer explicit https:// in modern code -->
<script src="//cdn.example.com/script.js"></script>Why It Matters
- Browser blocking: Modern browsers block "active" mixed content (scripts, stylesheets from HTTP on HTTPS pages) entirely.
- User warnings: Browsers show security warnings for pages with mixed content, reducing user trust.
- Redirect overhead: HTTP links on an HTTPS page mean every navigation adds an extra redirect (HTTP 301 → HTTPS), slowing page loads.
- Ranking signals: The SEO value passed through a link is reduced when crossing from HTTPS to HTTP, and these mismatches often show up alongside sitemap-domain issues during migrations.
Content Types and Risk Levels
| Resource type | Risk level | Browser behaviour |
|---|---|---|
<script src="http://..."> | Critical | Blocked silently |
<link href="http://..."> (CSS) | Critical | Blocked silently |
<img src="http://..."> | Warning | Blocked in strict mode |
<a href="http://..."> (navigation) | Warning | Redirected (if target has HTTPS) |
How to Find HTTP Links
# Find HTTP links in HTML templates
grep -rn 'href="http://' ./src/templates/
grep -rn 'src="http://' ./src/templates/
# In a browser: open DevTools → Console and run:
Array.from(document.querySelectorAll('a[href^="http://"]'))
.map(a => a.href)After fixing, use a browser security report (DevTools → Security tab) to confirm no mixed content warnings remain.
Exceptions
- Staging, utility, login, account, or internal search pages may intentionally use different crawl or index signals if they are not meant to rank.
- Temporary migration states can produce noisy intermediate signals; flag the live production URL pattern, not one-off transition artifacts.
- When redirects, canonicals, robots directives, or indexability signals conflict, fix the strongest final signal first instead of reporting every downstream symptom as a separate blocker.
Standards
- Use these references as the standard for the final search-facing HTML, metadata, and crawl behavior.
- Check the implementation against Google Search Central: HTTPS as a ranking signal before treating the rule as satisfied.
- Check the implementation against MDN: Mixed content — what is mixed content? before treating the rule as satisfied.
Verification
Automated Checks
- Inspect rendered HTML and HTTP headers to confirm the expected metadata or crawlability signal is present.
- Test the affected URL with Google Search Console or equivalent tooling where relevant.
- Re-crawl a representative page set after deployment.
Manual Checks
- Confirm the change does not create conflicting canonical-url, robots, or structured-data signals.
Use with AI
Copy these prompts to use with your AI assistant, or install the MCP server to use directly from Claude, Cursor, or Windsurf.
Check
Verify implementation
On pages served over HTTPS, scan all `<a href>` attributes for URLs starting with `http://` (not `https://`). Flag: (1) Internal links using `http://` that should use `https://` or a relative path. (2) External links to third-party sites still on HTTP (flag for review — the destination may not support HTTPS). (3) Resource links (`<img src>`, `<script src>`, `<link href>`) pointing to HTTP URLs — these cause active mixed content warnings.
Fix
Auto-fix issues
1. Audit all `<a href>` values in templates and content for `http://` links. 2. For internal links: change `http://yourdomain.com/path` to `/path` (relative) or `https://yourdomain.com/path`. 3. For external links: check if the destination supports HTTPS; update to `https://` if so. 4. For resource links (scripts, styles, images): always use `https://` or protocol-relative `//`. 5. In your CMS or database: run a search-and-replace to update stored HTTP URLs to HTTPS. 6. Set up a server-level redirect from HTTP to HTTPS to catch any remaining HTTP URLs in user-generated content. 7. Verify with: `grep -r 'href="http://' ./templates/` or use a link auditing tool.
Explain
Learn more
HTTPS is a confirmed Google ranking factor. When an HTTPS page links to HTTP resources or destinations, it downgrades the secure context, triggering browser warnings and potentially blocking content. For internal links, HTTP destinations mean an extra redirect (HTTP→HTTPS) on every navigation, slowing page loads. The ranking signal passed via the link's referrer is also diminished when crossing from HTTPS to HTTP.
Review
Code review
Parse all `<a href>`, `<img src>`, `<script src>`, and `<link href>` attributes. Flag any value starting with `http://` (not `https://` or a relative path). In JavaScript frameworks, also check for `http://` in `fetch()`, `axios`, or router navigation calls. Report the count of HTTP links by category (internal, external, resource).
