Low Security Header

Upgrade-Insecure-Requests

Learn how to automatically upgrade HTTP requests to HTTPS for improved security.

SiteSecurityScore Team·7 min read·Updated Feb 20, 2026

Upgrade-Insecure-Requests is a security header that automatically upgrades HTTP requests to HTTPS. This header helps prevent mixed content issues and ensures all requests use secure connections.

What is Upgrade-Insecure-Requests?#

Upgrade-Insecure-Requests is a security header (also available as a CSP directive) that tells browsers to automatically rewrite HTTP URLs to HTTPS before making the request. If your HTTPS page contains a link to http://example.com/image.jpg, the browser will automatically request https://example.com/image.jpg instead. This is particularly helpful during the migration from HTTP to HTTPS, when your pages may still contain old HTTP URLs in the HTML.

Automatically rewrites http:// URLs to https:// before the browser makes the request
Prevents mixed content warnings that occur when HTTPS pages load HTTP resources
Helps during HTTP to HTTPS migration by fixing old URLs without editing every page
The upgrade happens in the browser, so no additional server requests are needed

Understanding Mixed Content#

Mixed content occurs when an HTTPS page loads sub-resources (images, scripts, stylesheets, iframes) over plain HTTP. Browsers treat this as a security problem because the insecure resources can be intercepted and modified by attackers. Modern browsers block some types of mixed content entirely and show warnings for others.

Active mixed content (scripts, iframes) is blocked by all modern browsers
Passive mixed content (images, audio, video) may show a warning but still load
Mixed content degrades user trust by showing 'Not Secure' indicators
Search engines may penalize sites with mixed content issues

Why Not Just Fix the URLs?

In an ideal world, you would update every HTTP URL in your codebase to HTTPS. But for large sites with thousands of pages, legacy content, or database-stored HTML, this can take time. Upgrade-Insecure-Requests provides immediate protection while you work through the URL cleanup.

How It Works#

When the browser encounters the Upgrade-Insecure-Requests header (or the equivalent CSP directive), it rewrites all insecure URLs on the page to their HTTPS equivalents. This includes images, scripts, stylesheets, fonts, AJAX requests, and other sub-resources. The upgrade is automatic and transparent to the user.

Configuration

# As a standalone header
Upgrade-Insecure-Requests: 1

# As a CSP directive (alternative)
Content-Security-Policy: upgrade-insecure-requests

# What the browser does:
# http://example.com/style.css  → https://example.com/style.css
# http://cdn.example.com/lib.js → https://cdn.example.com/lib.js
# https://example.com/page      → no change (already HTTPS)

MDN: Upgrade-Insecure-Requests

Implementation Guide#

You can enable Upgrade-Insecure-Requests as a standalone header or as part of your Content-Security-Policy. Both approaches achieve the same result.

Configuration

# Apache (.htaccess)
Header always set Content-Security-Policy "upgrade-insecure-requests"

# Nginx
add_header Content-Security-Policy "upgrade-insecure-requests" always;

# Node.js / Express
app.use((req, res, next) => {
  res.setHeader('Content-Security-Policy', 'upgrade-insecure-requests');
  next();
});

# Or as a standalone header
Header always set Upgrade-Insecure-Requests "1"

Best Practices#

Use Upgrade-Insecure-Requests as part of your HTTPS migration strategy and ongoing security configuration.

Enable alongside HSTS for a complete HTTPS enforcement strategy
Verify that all your resources are actually available over HTTPS before enabling
Use the CSP directive form if you already have a Content-Security-Policy header
Continue updating HTTP URLs in your codebase to HTTPS even after enabling the header
Test that all page resources load correctly after enabling the upgrade
Remember that this only upgrades same-page resources, not navigation links to other sites

W3C Upgrade Insecure Requests specification