Migrate easily to HTTP with the Upgrade Insecure Requests CSP directive
"Upgrade Insecure Requests" is a CSP (Content Security Policy) directive that allows you to indicate to HTTP clients/browsers that all resources must be accessed via HTTPS.
This allows you to migrate more easily to HTTPS websites or webapps that contain a great number of HTTP-declared resources. Your resources will automatically be requested on HTTPS by the client/browser, without any mixed content alert.
You will of course need your resource servers to be accessible using HTTPS.
Support
Upgrade Insecure Requests is supported by Mozilla Firefox (42+), Google Chrome (43+), Microsoft Edge (Build 17134+), Opera (30+), le navigateur Android (56+), (Chrome pour Android, Safari Mac 0.1+), Safari iOS (10.3+), amongst others.
Internet Explorer is not compatible
Implementation
To implement this feature on your web server, you only need to declare a new HTTP header in your site's configuration.
Apache
For Apache, you will first need to load the header module. For instance:
LoadModule headers_module modules/mod_headers.so
You will then need to charge the header in your virtual host:
Header always set Content-Security-Policy "upgrade-insecure-requests;"
IIS
IIS allows you to add custom HTTP headers. You just have to add a header with the name Content-Security-Policy and the value upgrade-insecure-requests;.
Nginx
For Nginx, you just have to add the following instruction to your server block:
add_header Content-Security-Policy upgrade-insecure-requests;
Lighthttpd
You will first need to load the setEnv module by adding this instruction to your configuration:
server.modules += ( "mod_setenv" )
Then, you can enable it for your site:
setenv.add-response-header = ( "Content-Security-Policy" => "upgrade-insecure-requests;" )
Others
You can configure this feature on all servers allowing you to configure your HTTP headers by adding a "Content-Security-Policy" header with the value "upgrade-insecure-requests;".
Additional ressources
- If your site is already fully accessible in HTTPS, resources and links included, and that you want to enable HTTPS by default, you can use HSTS.