Check creatives for SSL compatibility

Learn about the SSL protocol and to ensure creatives are secure

Many webpages today are secure. The URL for a secure webpage begins with the SSL (Secure Sockets Layer) protocol:


Creatives that serve on secure pages must also be secure—otherwise, some browsers or apps might display warnings about mixed content or simply fail to show the creative. For this reason, it's important to confirm that creatives are secure. Secure creatives can serve to insecure webpages (http://), as these creatives do not pose an issue or show warnings to the user.

All creatives, resources, or assets uploaded to Ad Manager are SSL compliant by default. However, sometimes creatives hosted on third-party servers are not SSL compliant and, therefore, considered insecure.

This article explains what type of content can be blocked, how to check for SSL compatibility, and how to override checks.

What is SSL compliance?

All primary resources or assets of a creative must be hosted in secure web locations for the creative to be SSL compliant. Secure web locations start with the SSL protocol:


Web locations for images, CSS stylesheets, JavaScript files, or tracking pixels must all begin with the SSL protocol. Primary resources or assets of a creative can reference other, secondary resources that are insecure, but all primary resources referenced must be secure.

Good to know about SSL compliance

SSL compliance does not extend to click-through URLs in the creative itself. Click-through URLs may be either secure (https://) or insecure ( http://) without violating SSL compliance.

What content is blocked?

Each secure environment is different, so check the specifications of each environment to ensure all creatives will render successfully. Usually, content is grouped into two categories:

  • Passive content: Typically not blocked
  • Active content: Often blocked.

An overview of the differences between the two types can be reviewed on Mozilla's Developer MDN web docs.

Check for SSL compatibility

Here’s a way to check for SSL compatibility:

  1. Traffic the creative using a test line item.
  2. Create a standalone test page for the creative.
  3. Load it in Chrome.
  4. Check the Console in Chrome DevTools.

For any unsecured resources, Chrome displays a “Mixed Content” message in the Console. Some text will be in red or yellow:

  • Red: Errors that indicate the resource was blocked.
  • Yellow: Warnings that should be fixed, but most secure environments will still allow this content to load even though it’s unsecured.

SSL compatibility scanning in Ad Manager

For creative types that Ad Manager does not host, Ad Manager checks the creative for SSL compatibility.

You should work with all of your third-party partners to ensure SSL compliance. This includes partners who use third-party tags in their creatives. Although Google SSL compliance scans have a high degree of accuracy, automatic detection is not always possible with complex creatives serving mixed content.
  • By default, this information is shown in the creative's settings and in reports.
  • Creatives are initially scanned within 12 hours after they're added to Ad Manager, and scanned again within 12 hours after any change is made.
  • Active creatives will also periodically be re-scanned.
  • Ad Manager automatically scans creatives if they are set up in a line item scheduled to serve within 3 days.
  • Make sure you reactivate your line item to allow the creative to be re-scanned.
Review all SSL compatibility scans and their results in the change history of a creative. Note that automated scans display "Malware Analyzer" as the user.

Override automatic SSL compatibility checking

In some cases, you might want to override the automatic SSL compatibility detection. For example:

  • You might be using an incompatible creative within a line item that targets browsers where SSL compatibility isn't an issue.
  • You believe that the automatic SSL detection isn't flagging your creative properly as SSL compliant.

In such cases, you can:

  1. Click override in the SSL compatibility field in the creative's settings.
  2. Use the switch to set SSL compatibility as Yes or No.

Ad Manager delivers the creative according to the compatibility value you set.

Note that the IDFA or AdID macro does not expand the IDFA or AdID value if you override the detection.

Check a creative's SSL compatibility status

For creatives where it's relevant, the SSL compatibility is displayed within the creative settings. You can also run reports to show SSL-compatible and non-compatible creatives, using the following attributes under “Creative”:

  • Creative SSL scan result: Shows the result of Ad Manager's scan of the creative. The possible values for this attribute are:
    • Compliant: SSL scanner did not find any unsecured items in this creative.
    • Non-compliant: SSL scanner found at least one unsecured item in the chain of resources for this creative.
      For very complex, non-standard creatives (for example, creatives with JSON responses to AJAX requests), the SSL scanner may not be able to fully scan the creative and mark it as non-compliant.
    • Not applicable: SSL scanner didn’t scan the creative type.
    • Not yet scanned: SSL scanner has not yet run on this creative.
  • Creative SSL compliance override: Shows whether there's an override, and how the override has been set.

SSL compatibility scan-based serving

Ad Manager also supports serving creatives based on the compatibility scan so that only compatible creatives serve. This feature is activated by default for all AMP pages. To activate this feature for the rest of your site, contact customer support to change your network settings.

Was this helpful?

How can we improve it?
Clear search
Close search
Google apps
Main menu