Rule site.mixed-protocols
Site mixes HTTP and HTTPS URLs
site.mixed-protocols is a check in Crawlmind's site audit that grades high-impact issues of this kind. This page explains why the rule matters and the exact fix.
Why it matters
When some internal links, canonicals, or hreflang annotations point to `http://` and others to `https://`, search engines treat the protocol-mismatched URLs as separate canonical entities. The result is duplicate-content fragmentation: link equity is split, AI engines see two versions of every page, and citation share is halved. This is almost always an artefact of a half-completed HTTPS migration.
The fix
Audit for HTTP references:
```sh
grep -rn 'http://example.com' ./dist ./src
grep -rn 'href="http:' ./dist
grep -rn 'rel="canonical" href="http:' ./dist
```
Fix in three places, in order:
1. **301-redirect all HTTP requests to HTTPS at the edge** (Cloudflare, Caddy, nginx, your CDN). This catches every request regardless of how the user got there.
```nginx
if ($scheme = http) { return 301 https://$host$request_uri; }
```
2. **Update every internal href, canonical, and hreflang in your codebase** to use `https://`. Run the grep above and fix.
3. **Update sitemap.xml and robots.txt** to use `https://` everywhere.
Finally, force HSTS at the response layer so browsers refuse to even try HTTP:
```http
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
```