Home/ Glossary/ upgrade-insecure-requests CSP Directive

upgrade-insecure-requests CSP Directive (upgrade-insecure-requests)

Security Glossary - Security Headers

Definition: The upgrade-insecure-requests CSP directive instructs the browser to automatically upgrade HTTP resource requests to HTTPS before sending them. This is useful when migrating a site to HTTPS where some internal URLs or embedded content still reference HTTP URLs.

Why upgrade-insecure-requests Matters

When migrating a site from HTTP to HTTPS, it is common to have legacy content with hardcoded HTTP URLs for images, scripts, and stylesheets. Finding and updating every HTTP reference across a large site can be time-consuming. upgrade-insecure-requests provides an immediate fix by telling the browser to request the HTTPS version automatically.

This directive only affects resource URLs within the page (images, scripts, stylesheets, etc.) - it does not redirect the page itself. For that, you need server-side HTTP-to-HTTPS redirects and HSTS. upgrade-insecure-requests is a complement to these measures, not a replacement.

The directive is particularly useful for sites with user-generated content where you cannot control the URLs users have entered. If a blog comment contains an HTTP image URL, upgrade-insecure-requests will attempt to load it over HTTPS instead, preventing mixed content warnings.

How to Test for upgrade-insecure-requests

A security audit checks for the upgrade-insecure-requests directive in your CSP. If you have mixed content issues (HTTP resources on HTTPS pages), adding this directive is a quick mitigation while you work on fixing the source URLs.

See how your site handles upgrade-insecure-requests

Run a Security Audit

Frequently Asked Questions

Does upgrade-insecure-requests fix all mixed content?
It fixes most mixed content by upgrading HTTP requests to HTTPS. However, if the HTTPS version of a resource does not exist or returns an error, the resource will fail to load. It is still a best practice to update source URLs to use HTTPS directly.
Should I use upgrade-insecure-requests or block-all-mixed-content?
Use upgrade-insecure-requests - it attempts to load resources over HTTPS rather than blocking them. block-all-mixed-content simply blocks HTTP resources without trying to upgrade them, which breaks more content without providing additional security.

Related Terms

Mixed Content Hypertext Transfer Protocol Secure Content Security Policy HTTP Strict Transport Security block-all-mixed-content CSP Directive
Disclaimer: DomainOptic provides automated informational scans only. Results do not constitute professional security advice, compliance certification, or a guarantee of security. Always verify findings independently.