The HTTP Upgrade-Insecure-Requests request header sends a signal to the server expressing the client’s preference for an encrypted and authenticated response, and that it can successfully handle the upgrade-insecure-requests CSP directive.

Header type Request header
Forbidden header name no

Syntax

Upgrade-Insecure-Requests: 1

Examples

A client requests  signals to the server that it supports the upgrade mechanisms of upgrade-insecure-requests:

GET / HTTP/1.1 
Host: example.com 
Upgrade-Insecure-Requests: 1

The server can now redirect to a secure version of the site. A Vary header can be used so that the site isn't served by caches to clients that don’t support the upgrade mechanism.

Location: https://example.com/ 
Vary: Upgrade-Insecure-Requests

Specifications

Specification Status Comment
Upgrade Insecure Requests
The definition of 'upgrade-insecure-requests' in that specification.
Candidate Recommendation Initial definition.

Browser compatibility

FeatureChromeEdgeFirefoxInternet ExplorerOperaSafari
Basic support44 No148 No3110.1
FeatureAndroid webviewChrome for AndroidEdge mobileFirefox for AndroidOpera AndroidiOS SafariSamsung Internet
Basic support ?44 No483110.34.0

1. Under consideration for future release.

See also

Document Tags and Contributors

Contributors to this page: fscholz, teoli
Last updated by: fscholz,