The HTTP Upgrade-Insecure-Requests
request header sends a signal to the server expressing the client’s preference for an encrypted and authenticated response, and that it can successfully handle the {{CSP("upgrade-insecure-requests")}} CSP directive.
Header type | {{Glossary("Request header")}} |
---|---|
{{Glossary("Forbidden header name")}} | no |
Syntax
Upgrade-Insecure-Requests: 1
Examples
A client requests signals to the server that it supports the upgrade mechanisms of {{CSP("upgrade-insecure-requests")}}:
GET / HTTP/1.1 Host: example.com Upgrade-Insecure-Requests: 1
The server can now redirect to a secure version of the site. A {{HTTPHeader("Vary")}} header can be used so that the site isn't served by caches to clients that don’t support the upgrade mechanism.
Location: https://example.com/ Vary: Upgrade-Insecure-Requests
Specifications
Specification | Status | Comment |
---|---|---|
{{specName("Upgrade Insecure Requests", "#preference", "upgrade-insecure-requests")}} | {{Spec2('Upgrade Insecure Requests')}} | Initial definition. |
Browser compatibility
The compatibility table in this page is generated from structured data. If you'd like to contribute to the data, please check out https://github.com/mdn/browser-compat-data and send us a pull request.
{{Compat}}
See also
- {{HTTPHeader("Content-Security-Policy")}}
- CSP {{CSP("upgrade-insecure-requests")}} directive