Mixed Content (HTTP URLs in HTTPS Sitemap)

Updated April 2026·By SitemapFixer Team

Your sitemap lives at https://example.com/sitemap.xml but some URLs inside still start with http://. Google treats HTTP and HTTPS as two different sites, so mixed-protocol sitemaps create duplicate-content confusion, split ranking signals, and often trigger cross-submit errors that prevent Google from processing the sitemap at all.

Find every HTTP URL in your sitemap
We highlight every non-matching-protocol URL in your feed
Analyze My Sitemap

What is this error?

Mixed content in a sitemap occurs when the protocol of a URL (http:// or https://) doesn't match the protocol of the sitemap file itself. Google's cross-submit rule states that URLs in a sitemap must live on the same protocol and hostname as the sitemap - otherwise they're silently ignored. Search Console will show "Couldn't fetch" or simply not report the URL at all.

Why does it happen?

This is almost always a leftover from an HTTPS migration. The site moved to HTTPS, but the sitemap generator still pulls URLs from a database column containing http:// prefixes. Other causes: hardcoded HTTP URLs in CMS templates, old image URLs on http://cdn.example.com, or plugins that generate sitemap entries from a config file that was never updated.

Why does it hurt SEO?

Three problems stack up. First, Google may ignore the HTTP URLs entirely due to cross-submit restriction. Second, if the HTTP URL redirects to HTTPS, Google flags it as "Page with redirect" - a wasted entry. Third, users clicking HTTP links from Google's index see browser security warnings, hurting click-through rate and bounce metrics that Google measures as engagement signals.

How to detect it

Open your sitemap and search (Ctrl+F) for "http://" - if any results appear in your HTTPS sitemap, you have mixed content. Sitemap Fixer flags every URL whose protocol doesn't match the sitemap root, including deeper issues like www.example.com vs example.com mismatches that are often overlooked.

How to fix it

1. Run a SQL UPDATE on your CMS database to rewrite http:// URLs to https://. 2. Add a 301 redirect at the server level from http://* to https://* so any external HTTP references resolve correctly. 3. Update the sitemap generator config to force HTTPS on URL construction. 4. Regenerate sitemap.xml and verify every URL starts with https://. 5. In Search Console, ensure you're using the HTTPS property, not the HTTP one - resubmit there. 6. Use a crawler (Screaming Frog, Sitemap Fixer) to double-check no internal links still emit HTTP.

Real-world example

An enterprise news site completed their HTTPS migration but their sitemap still contained 4,200 HTTP article URLs because the generator read from a legacy read-replica. Google ignored all of them for 5 weeks. After a database migration script rewrote the URLs, indexed pages jumped from 1,800 to 5,900 within 3 weeks.

Common mistakes

Frequently Asked Questions

Can my sitemap contain both HTTP and HTTPS URLs?
Technically yes, but it's strongly discouraged. Google treats HTTP and HTTPS versions of the same URL as separate documents, so mixing them creates duplicate content problems and dilutes ranking signals between the two versions.
Should my sitemap URL itself be HTTPS?
Yes, always. The sitemap.xml must be served over HTTPS if your site uses HTTPS, and it must live on the same protocol and hostname as the URLs it contains (this is called cross-submit restriction).
What happens if I list an HTTP URL that 301-redirects to HTTPS?
Google will follow the redirect but marks the HTTP entry as 'Page with redirect' in Search Console. It still wastes a sitemap slot - list the final HTTPS destination directly instead.
Fix this in your sitemap now
Enter your domain and get a full sitemap audit in 60 seconds
Analyze My Sitemap Free
Related sitemap errors
All sitemap errors