HTTPS, mixed content, and the trust signals you can't fake.

HTTPS is not optional for any business that wants to rank, convert, or be trusted. If your site still runs on HTTP, or if it loads HTTPS but pulls in unsecured resources, browsers and search engines flag it — and visitors leave before they read a single word.

This is not a developer-only problem. It is a business problem. The padlock in the browser bar is a signal. When it breaks, trust breaks with it. And trust is not something you can recover by writing better headlines.

What HTTPS actually does — and what it doesn't

HTTPS encrypts the connection between a visitor's browser and your server. That means the data passing back and forth — contact form submissions, appointment requests, payment details — cannot be read by a third party sitting between them.

HTTP does not do that. Everything sent over HTTP is plain text. Anyone on the same network can read it. That matters more than most small business owners realize. A visitor filling out your intake form at a coffee shop, on a hotel Wi-Fi, at an airport — their information is exposed if your site doesn't encrypt the connection.

What HTTPS does not do is make your site fast, secure from server-side attacks, or free from other technical problems. Encryption is one layer. It is the first layer. Without it, nothing else on the technical side matters much.

Google confirmed HTTPS as a ranking signal in 2014. It carries a small but real weight in the algorithm. More importantly, Chrome — which accounts for roughly two-thirds of US desktop browsing — labels HTTP sites as "Not Secure" in the address bar. That label kills conversion. No amount of good content overcomes a browser telling your visitor the site is unsafe.

What mixed content is, and why it's sneakier than HTTP

Mixed content happens when a page loads over HTTPS but pulls in at least one resource — an image, a script, a stylesheet, a font — over HTTP. The page is technically secured, but it is pulling in unsecured elements. Browsers catch this and either block the resource or flag the page.

There are two types. Passive mixed content includes images, audio, and video loaded over HTTP. Browsers display the page but often drop the padlock or show a warning icon. Active mixed content includes scripts and stylesheets. Browsers block these outright because a compromised script can rewrite your entire page.

This is where most small business websites quietly fail. The owner migrated from HTTP to HTTPS six months ago — or their hosting provider did it automatically — but the internal links, image URLs, and embedded third-party resources still point to HTTP addresses. The certificate is in place. The padlock is broken anyway.

A San Diego physical therapy clinic migrated to HTTPS and assumed the job was done. Months later, a site audit turned up 38 mixed content errors — images, an old Google Maps embed, and a booking widget all loading over HTTP. The site looked fine to the owner. To Chrome, to Safari, and to any visitor on a secure network, it was flagging warnings.

You cannot see mixed content errors just by looking at your site. You need to open Chrome DevTools, go to the Console tab, and look for warnings that start with "Mixed Content." Or run your URL through a tool like WhyNoPadlock.com, which surfaces every unsecured resource on the page in plain language.

Why this matters for search — beyond the ranking signal

The HTTPS ranking signal itself is modest. Google has said as much. But the downstream effects are not modest at all.

A browser that shows a "Not Secure" warning or blocks content increases your bounce rate. Visitors land, see the warning, and leave. A higher bounce rate — particularly when paired with a short visit duration — tells Google the page did not satisfy the query. That feeds back into ranking over time. It is not a direct penalty. It is a slow erosion.

There is also the crawl dimension. Google's crawler respects HTTPS as the canonical version of a URL. If your HTTP pages are not properly redirecting to HTTPS with 301 redirects, you may have duplicate content spread across two versions of your site. Your link equity splits. Your rankings dilute. The fix is a server-level 301 redirect from all HTTP URLs to their HTTPS equivalents — not just the homepage, every URL.

For local businesses especially, trust signals matter at the conversion layer, not just the ranking layer. A family law attorney or an immigration consultant is asking prospective clients to share sensitive information. If the browser flags that site as unsecured, the prospect does not fill out the contact form. They go back to Google and click the next result. That is a lead you paid to attract, lost at the door.

If you want to understand how technical issues like these connect to the broader visibility picture, Search Foundations is where we start every engagement — because the ceiling on any SEO effort is set by what the foundation allows.

How to audit your HTTPS setup in under 30 minutes

You do not need an agency to run this audit. You need Chrome, a notepad, and 30 minutes.

First, type your domain into Chrome starting with HTTP — not HTTPS. Watch what happens. If you land on the HTTP version without being redirected, you have a redirect problem. If you land on HTTPS with a 301 in the address bar, that layer is working.

Second, open your homepage in Chrome and hit F12 to open DevTools. Click the Console tab. Look for any red or yellow warnings mentioning "Mixed Content." Write down every URL flagged.

Third, click through five to ten inner pages — your about page, your services pages, your contact page, any blog posts. Repeat the DevTools check on each. Mixed content errors often appear on specific pages, not site-wide. A single old image embedded in a 2019 blog post can trigger a browser warning on that URL every time someone visits.

Fourth, check your internal links. Go into your CMS — WordPress, Squarespace, Webflow, wherever — and search for any internal links or image URLs that still start with http://. Replace them with https:// or, better, with relative URLs that do not specify a protocol at all.

Fifth, check your sitemap. Open yoursite.com/sitemap.xml. If any URLs in that file start with http://, fix them. The sitemap is what you submit to Google Search Console — you want it pointing to the right version of every page.

If your site runs WordPress, a plugin like Better Search Replace can swap out HTTP references in the database in one pass. Run it on a staging environment first. Test after. Do not assume the swap is clean without checking.

For the technical side of how site speed and load performance connect to these issues, Why your slow site is a sales problem, not an IT problem covers the business case in plain terms. And if you want to understand what Google is measuring beyond HTTPS, Core Web Vitals: the three numbers that decide if Google bothers walks through the metrics that sit one layer above this foundation.

The certificate itself — what to check

An SSL/TLS certificate is what makes HTTPS work. Your hosting provider issues or installs it. Most reputable hosts offer free certificates through Let's Encrypt. If you are paying more than a nominal fee for a standard certificate, you are probably being upsold.

Certificates expire. Let's Encrypt certificates renew every 90 days, and most hosts handle renewal automatically. But automatic renewal fails. When it fails, your site drops to HTTP overnight. Visitors get a full-page browser error. Google's crawler cannot access your pages.

Set a calendar reminder to check your certificate expiry every 60 days. You can see the expiry date by clicking the padlock icon in Chrome and selecting "Connection is secure" then "Certificate is valid." The dates are right there. If the certificate expires in under 30 days and auto-renewal is supposed to be on, contact your host and confirm it.

For businesses with multiple subdomains — a main site, a client portal, a booking system — each subdomain needs its own certificate, or you need a wildcard certificate that covers all of them. Wildcards cost more. They are worth it if you have more than two subdomains.

Where this breaks down

HTTPS alone will not move your rankings. If your content is thin, your site is slow, or your Google Business Profile is incomplete, fixing your certificate will not change much on its own. It is the floor, not the ceiling.

It also will not protect you from server-side vulnerabilities. A site can be fully HTTPS and still get hacked through an outdated plugin, a weak password, or an unpatched CMS. Encryption protects data in transit. It does not protect your server from intrusion.

The work McShanes Solicitors did on their technical foundation is a good example of how getting the basics right — HTTPS, redirects, page speed — creates the conditions for content and positioning to do their job. The foundation does not win alone. But without it, nothing else can win either.

Get the certificate right. Fix the mixed content. Set the redirects. Then move on to the work that actually builds visibility. Foundations first.