Upgrade Insecure Requests Directive
Use the upgrade-insecure-requests CSP directive to automatically upgrade HTTP resource requests to HTTPS. Migrate mixed content without manually updating every URL in your codebase.
Detailed Explanation
The upgrade-insecure-requests Directive
The upgrade-insecure-requests directive instructs the browser to automatically upgrade all HTTP resource requests to HTTPS before the request is made. This is a powerful tool for migrating sites from HTTP to HTTPS without breaking mixed content.
How It Works
Content-Security-Policy: upgrade-insecure-requests
With this directive, the browser rewrites:
http://example.com/image.png→https://example.com/image.pnghttp://cdn.example.com/script.js→https://cdn.example.com/script.jsws://realtime.example.com→wss://realtime.example.com
This happens transparently — the HTML is not modified, only the actual network requests are upgraded.
What Gets Upgraded
| Resource Type | HTTP URL | Upgraded To |
|---|---|---|
| Scripts | http://cdn.example.com/app.js |
https://cdn.example.com/app.js |
| Stylesheets | http://cdn.example.com/style.css |
https://cdn.example.com/style.css |
| Images | http://images.example.com/photo.jpg |
https://images.example.com/photo.jpg |
| XHR/Fetch | http://api.example.com/data |
https://api.example.com/data |
| WebSocket | ws://ws.example.com |
wss://ws.example.com |
| Fonts | http://fonts.example.com/font.woff2 |
https://fonts.example.com/font.woff2 |
| Media | http://media.example.com/video.mp4 |
https://media.example.com/video.mp4 |
What Does NOT Get Upgraded
- Navigation requests — clicking an
<a href="http://...">link is NOT upgraded (use HSTS for that) - Third-party sites that do not support HTTPS — the upgraded request will fail
- Cross-origin requests where the HTTPS version returns different content
Combining with Other Headers
For a complete HTTPS migration strategy:
Content-Security-Policy: upgrade-insecure-requests
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
upgrade-insecure-requestshandles mixed content within pagesStrict-Transport-Security(HSTS) ensures the browser always uses HTTPS for your domain
Migration Strategy
- Enable HTTPS on your server and all resource origins
- Add
upgrade-insecure-requeststo your CSP to fix mixed content warnings - Gradually update hardcoded
http://URLs in your codebase tohttps:// - Enable HSTS once all resources support HTTPS
- Remove
upgrade-insecure-requestsonce all URLs are HTTPS (optional — it does no harm to keep it)
Browser Behavior
When the browser upgrades a request and the HTTPS version is not available (connection refused, certificate error), the request fails silently — it does not fall back to HTTP. This is by design to prevent downgrade attacks.
Report-Only Equivalent
There is no report-only mode for upgrade-insecure-requests. However, you can use the related block-all-mixed-content directive in report-only mode to find mixed content without upgrading it:
Content-Security-Policy-Report-Only: block-all-mixed-content; report-uri /csp-report
Use Case
This directive is essential during HTTP-to-HTTPS migrations. Large codebases with thousands of hardcoded http:// URLs in templates, CMS content, and legacy code cannot be updated overnight. Adding upgrade-insecure-requests immediately fixes mixed content warnings while you gradually update URLs. It is also useful for sites that pull content from user-generated sources where HTTP URLs may appear in stored data.