JOIN OUR AFFILIATE NETWORK

Join our affiliate network and become a local SSL expert

♦ learn more about our program ♦
Menu
picture of tbs certificates
picture of tbs certificates
Certificates
Our products range
Partners
Support
Focus


Migrate easily to HTTP with the Upgrade Insecure Requests CSP directive

"Upgrade Insecure Requests" is a CSP (Content Security Policy) directive that allows you to indicate to HTTP clients/browsers that all resources must be accessed via HTTPS.

This allows you to migrate more easily to HTTPS websites or webapps that contain a great number of HTTP-declared resources. Your resources will automatically be requested on HTTPS by the client/browser, without any mixed content alert.

You will of course need your resource servers to be accessible using HTTPS.

Support

Upgrade Insecure Requests is supported by Mozilla Firefox (42+), Google Chrome (43+), Microsoft Edge (Build 17134+), Opera (30+), le navigateur Android (56+), (Chrome pour Android, Safari Mac 0.1+), Safari iOS (10.3+), amongst others.

Internet Explorer is not compatible

Implementation

To implement this feature on your web server, you only need to declare a new HTTP header in your site's configuration.

Apache

For Apache, you will first need to load the header module. For instance:

LoadModule headers_module modules/mod_headers.so

You will then need to charge the header in your virtual host:

Header always set Content-Security-Policy "upgrade-insecure-requests;"

IIS

IIS allows you to add custom HTTP headers. You just have to add a header with the name Content-Security-Policy and the value upgrade-insecure-requests;.

Nginx

For Nginx, you just have to add the following instruction to your server block:

add_header Content-Security-Policy upgrade-insecure-requests;

Lighthttpd

You will first need to load the setEnv module by adding this instruction to your configuration:

server.modules += ( "mod_setenv" )

Then, you can enable it for your site:

setenv.add-response-header = ( "Content-Security-Policy" => "upgrade-insecure-requests;" )

Others

You can configure this feature on all servers allowing you to configure your HTTP headers by adding a "Content-Security-Policy" header with the value "upgrade-insecure-requests;".

Additional ressources

  • If your site is already fully accessible in HTTPS, resources and links included, and that you want to enable HTTPS by default, you can use HSTS.