Content-Security-Policy: upgrade-insecure-requests Directive
The HTTP Content-Security-Policy (CSP) upgrade-insecure-requests directive instructs user agents to automatically upgrade all insecure resource requests (those served over HTTP) to secure requests using HTTPS.
Purpose
This directive helps websites ensure all their content is loaded securely by converting HTTP resources to HTTPS before making the request. It is particularly useful for enforcing HTTPS without altering the actual URLs in the site's source code.
Behavior
- When enabled, browsers rewrite insecure URL requests to HTTPS.
- It applies to all types of resource requests, including images, scripts, stylesheets, iframes, etc.
- If upgrading a request fails, the resource load is blocked.
Usage Example
http Content-Security-Policy: upgrade-insecure-requests
With this header, a request to http://example.com/script.js is upgraded to https://example.com/script.js automatically by the browser.
Important Notes
"This directive allows sites to gradually transition to secure URLs without having to rewrite every reference to HTTP resources."
Using upgrade-insecure-requests complements other security measures by preventing mixed content issues that can degrade website security and user trust.
This directive simplifies enforcing HTTPS by automatically redirecting all insecure resource requests to secure HTTPS equivalents, enhancing website security without changing existing URLs.
More News
- Northern lights may appear in 15 states, including Wisconsin, on Dec. 3 and 4
- NOAA SWPC Alertes, surveillances et avertissements
- Iceland Foods trials aisle-roaming robots as part of retail media push
- [X1.9 solar flare erupts from Sun, causing brief radio blackout]
- Kanye West, Bianca Censori visit South Korea after Kim Kardashian’s new claims
- X1.9 flare (R3-Strong) event
- Israeli raids deepen humanitarian crisis
- Ryan Serhant exposes America’s new real estate reality
- Massive sun eruption triggers emergency alert
- WEST | Cambridge Dictionary (EN)