Is your entire site served securely over HTTPS with no insecure leftovers?
AI crawlers strongly prefer HTTPS sites and quietly downgrade trust in any page with mixed insecure resources.
What this signal tests
We check three related things. First, that your site is reachable over the secure HTTPS protocol. Second, that the insecure HTTP version automatically redirects users to HTTPS rather than serving them an unencrypted copy. Third, that the pages served over HTTPS do not load any sub-resources - images, scripts, stylesheets - over the old insecure HTTP scheme, which would be flagged as mixed content.
Why it matters for your visibility in AI
AI crawlers have inherited Google's strong preference for HTTPS, and any mixed insecure content on a page silently reduces its trust signals. A page with one HTTP image loaded inside an HTTPS document is treated as less reliable than a clean HTTPS-only page, and is cited less often in AI answers. If the entire site is still on HTTP, or if the HTTP-to-HTTPS redirect is missing, AI crawlers see two parallel versions of every page and have to pick between them. This splits ranking signals across both, and increases the chance that neither version is judged authoritative enough to cite. Competitors who completed the HTTPS migration years ago benefit from the consolidated signal.
Pass criteria at a glance
| Criterion | Passes when |
|---|---|
| 100% HTTPS + auto HTTP redirect + zero mixed content. |
How we test it
We request your site over plain HTTP and confirm the server responds with a permanent redirect to the HTTPS version. We then sample several internal URLs across your domain to confirm each one uses HTTPS and returns a valid certificate. Finally we parse a few rendered pages and scan for any embedded resources - images, scripts, fonts, iframes - whose URL still starts with http:// even though the parent page is HTTPS.
Show technical detection method
GET http://{host}/ -> expect 301/308. Sample N internal URLs; confirm scheme==https. Parse rendered HTML for http:// sub-resources on https:// pages.
If your site fails: how to fix it
- Provision a TLS certificate for your domain if you do not have one. Most hosts and CDNs offer free certificates from Let's Encrypt that auto-renew; no excuse to be HTTP-only in 2026.
- Configure your web server or CDN to redirect every request on port 80 (plain HTTP) to the equivalent URL on port 443 (HTTPS), using a permanent 301 or 308 redirect status code.
- Run a search across your codebase and database for any hardcoded http:// URLs pointing at your own domain and replace them with https:// equivalents. Common offenders are old blog posts, image references, and embedded scripts.
- Update any references to third-party assets (fonts, analytics, embedded video, CDN-hosted images) to use HTTPS URLs. Modern providers all support HTTPS - there is no reason to load anything over HTTP today.
- Re-run the AI Ready Test and confirm both the redirect and zero mixed content.
Quick facts
| Maturity | ESTABLISHED |
|---|---|
| Weight | high |
| Category | Crawlability |
Primary sources
Related signals
Frequently asked questions
Do I need to buy an SSL certificate?
Usually no. Let's Encrypt provides free certificates that auto-renew every 90 days, and most modern hosting platforms - Vercel, Netlify, Cloudflare, Shopify, WordPress hosts - provision and renew them for you with one click. Paid certificates are only needed in specific enterprise scenarios.
What is mixed content exactly?
It is when an HTTPS page loads sub-resources - an image, a script, a font, an embedded video - over plain HTTP. Modern browsers block most types and warn users about the rest. AI crawlers treat mixed-content pages as lower-trust and less likely to be the canonical source.
Will switching to HTTPS hurt my existing search rankings?
Short-term, you may see brief fluctuation while crawlers re-index the new URLs. Long-term, HTTPS is a ranking positive in both classic search and AI systems. Make sure your 301 redirects from HTTP to HTTPS are clean to preserve link equity.
How do I find mixed content on my site?
Browser developer tools flag mixed content with warnings in the console. There are also free crawl-based tools like Why No Padlock or the JitBit SSL checker. Lighthouse audits and the AI Ready Test will surface the problem pages too.
Run your own scan
Run a free scan and see how your site grades across all 155 AI-readiness signals.