picture of tbs certificates
picture of tbs certificates
Our products range

Migrate easily to HTTP with the Upgrade Insecure Requests CSP directive

"Upgrade Insecure Requests" is a CSP (Content Security Policy) directive that allows you to indicate to HTTP clients/browsers that all resources must be accessed via HTTPS.

This allows you to migrate more easily to HTTPS websites or webapps that contain a great number of HTTP-declared resources. Your resources will automatically be requested on HTTPS by the client/browser, without any mixed content alert.

You will of course need your resource servers to be accessible using HTTPS.


Upgrade Insecure Requests is supported by Mozilla Firefox (42+), Google Chrome (43+), Microsoft Edge (Build 17134+), Opera (30+), le navigateur Android (56+), (Chrome pour Android, Safari Mac 0.1+), Safari iOS (10.3+), amongst others.

Internet Explorer is not compatible


To implement this feature on your web server, you only need to declare a new HTTP header in your site's configuration.


For Apache, you will first need to load the header module. For instance:

LoadModule headers_module modules/

You will then need to charge the header in your virtual host:

Header always set Content-Security-Policy "upgrade-insecure-requests;"


IIS allows you to add custom HTTP headers. You just have to add a header with the name Content-Security-Policy and the value upgrade-insecure-requests;.


For Nginx, you just have to add the following instruction to your server block:

add_header Content-Security-Policy upgrade-insecure-requests;


You will first need to load the setEnv module by adding this instruction to your configuration:

server.modules += ( "mod_setenv" )

Then, you can enable it for your site:

setenv.add-response-header = ( "Content-Security-Policy" => "upgrade-insecure-requests;" )


You can configure this feature on all servers allowing you to configure your HTTP headers by adding a "Content-Security-Policy" header with the value "upgrade-insecure-requests;".

Additional ressources

  • If your site is already fully accessible in HTTPS, resources and links included, and that you want to enable HTTPS by default, you can use HSTS.