We respect your privacy.

We use strictly necessary cookies to keep you signed in and to protect against CSRF. With your permission we also use a small amount of first-party analytics to improve the product. We do not sell your data and we do not use third-party advertising trackers. See our cookie policy and privacy policy .

← All learn topics

Rule site.mixed-protocols

Site mixes HTTP and HTTPS URLs

site.mixed-protocols is a check in Crawlmind's site audit that grades high-impact issues of this kind. This page explains why the rule matters and the exact fix.

Impact: highEffort: mediumFixable: 1-click

Why it matters

When some internal links, canonicals, or hreflang annotations point to `http://` and others to `https://`, search engines treat the protocol-mismatched URLs as separate canonical entities. The result is duplicate-content fragmentation: link equity is split, AI engines see two versions of every page, and citation share is halved. This is almost always an artefact of a half-completed HTTPS migration.

The fix

Audit for HTTP references:

```sh
grep -rn 'http://example.com' ./dist ./src
grep -rn 'href="http:' ./dist
grep -rn 'rel="canonical" href="http:' ./dist
```

Fix in three places, in order:

1. **301-redirect all HTTP requests to HTTPS at the edge** (Cloudflare, Caddy, nginx, your CDN). This catches every request regardless of how the user got there.

   ```nginx
   if ($scheme = http) { return 301 https://$host$request_uri; }
   ```

2. **Update every internal href, canonical, and hreflang in your codebase** to use `https://`. Run the grep above and fix.

3. **Update sitemap.xml and robots.txt** to use `https://` everywhere.

Finally, force HSTS at the response layer so browsers refuse to even try HTTP:

```http
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
```

References