upgrade-insecure-requests
Content-Security-Policy Other

Overview

upgrade-insecure-requests is a flag-style directive that instructs the browser to automatically upgrade http:// resource requests on the page to https:// before sending them. It takes no value and acts by mere presence, easing mixed-content problems during migration.

Details

On an HTTPS site with hardcoded http references to images, scripts, or styles, those load as mixed content and get blocked or warned. On large legacy sites where fixing every URL is hard, enabling this directive makes the browser rewrite the scheme to https right before sending, coaxing a secure connection without editing links. Note it also applies to same-origin navigations (a href) and upgrades cross-origin resources.

This differs in purpose from block-all-mixed-content, which blocks resources that cannot be upgraded. upgrade-insecure-requests is a proactive migration tool ('rewrite to https and keep it working'), whereas block-all-mixed-content is a blocking tool ('if not secure, just block it'). Modern browsers increasingly auto-upgrade/block mixed content by default, so treat this directive as a transitional aid.

Syntax

Content-Security-Policy: upgrade-insecure-requests

Notes

Related directives