Upgrade-Insecure-Requests header

Baseline Widely available

This feature is well established and works across many devices and browser versions. It’s been available across browsers since ⁨April 2018⁩.

The HTTPUpgrade-Insecure-Requestsrequest header sends a signal to the server indicating the client's preference for an encrypted and authenticated response, and that the client can successfully handle theupgrade-insecure-requestsCSP directive.

Header type	Request header
Forbidden request header	No

Syntax

http

Upgrade-Insecure-Requests: <boolean>

Directives

<boolean>: 1 indicates 'true' and is the only valid value for this field.

Examples

Using Upgrade-Insecure-Requests

A client's request signals to the server that it supports the upgrade mechanisms ofupgrade-insecure-requests:

http

GET / HTTP/1.1Host: example.comUpgrade-Insecure-Requests: 1

The server can now redirect to a secure version of the site. AVary header can be used so that the site isn't served by caches to clients that don't support the upgrade mechanism.

http

Location: https://example.com/Vary: Upgrade-Insecure-Requests

Specifications

Specification
Upgrade Insecure Requests # preference

Browser compatibility

Help improve MDN

Learn how to contribute

This page was last modified on⁨Jul 4, 2025⁩ byMDN contributors.

View this page on GitHub •Report a problem with this content

Movatterモバイル変換

Upgrade-Insecure-Requests header

Syntax

Directives

Examples

Using Upgrade-Insecure-Requests

Specifications

Browser compatibility

See also

Help improve MDN