We're looking for a person or people to help audit MDN to find places we could speed up. Is this you or someone you know? Check out the RFP: https://mzl.la/2IHcMiE


The HTTP Upgrade-Insecure-Requests request header sends a signal to the server expressing the client’s preference for an encrypted and authenticated response, and that it can successfully handle the upgrade-insecure-requests CSP directive.

Header type Request header
Forbidden header name no


Upgrade-Insecure-Requests: 1


A client requests  signals to the server that it supports the upgrade mechanisms of upgrade-insecure-requests:

GET / HTTP/1.1 
Host: example.com 
Upgrade-Insecure-Requests: 1

The server can now redirect to a secure version of the site. A Vary header can be used so that the site isn't served by caches to clients that don’t support the upgrade mechanism.

Location: https://example.com/ 
Vary: Upgrade-Insecure-Requests


Specification Status Comment
Upgrade Insecure Requests
The definition of 'upgrade-insecure-requests' in that specification.
Candidate Recommendation Initial definition.

Browser compatibility

FeatureChromeEdgeFirefoxInternet ExplorerOperaSafari
Basic support44 No148 No31 ?
FeatureAndroid webviewChrome for AndroidEdge mobileFirefox for AndroidIE mobileOpera AndroidiOS Safari
Basic support ?44 No48 ?31 ?

1. Under consideration for future release.

See also

Document Tags and Contributors

 Contributors to this page: fscholz, teoli
 Last updated by: fscholz,