Upgrade-Insecure-Requests

Baseline Widely available

This feature is well established and works across many devices and browser versions. It’s been available across browsers since April 2018.

The HTTP Upgrade-Insecure-Requests request header sends a signal to the server indicating the client's preference for an encrypted and authenticated response, and that the client can successfully handle the upgrade-insecure-requests CSP directive.

Header type Request header
Forbidden header name No

Syntax

http
Upgrade-Insecure-Requests: <boolean>

Directives

<boolean>

1 indicates 'true' and is the only valid value for this field.

Examples

Using Upgrade-Insecure-Requests

A client's request signals to the server that it supports the upgrade mechanisms of upgrade-insecure-requests:

http
GET / HTTP/1.1
Host: example.com
Upgrade-Insecure-Requests: 1

The server can now redirect to a secure version of the site. A Vary header can be used so that the site isn't served by caches to clients that don't support the upgrade mechanism.

http
Location: https://example.com/
Vary: Upgrade-Insecure-Requests

Specifications

Specification
Upgrade Insecure Requests
# preference

Browser compatibility

Report problems with this compatibility data on GitHub
desktopmobile
Chrome
Edge
Firefox
Opera
Safari
Chrome Android
Firefox for Android
Opera Android
Safari on iOS
Samsung Internet
WebView Android
WebView on iOS
Upgrade-Insecure-Requests

Legend

Tip: you can click/tap on a cell for more information.

Full support
Full support

See also