-
Notifications
You must be signed in to change notification settings - Fork 0
Directive: upgrade insecure requests
Note
This is an extension to CSP, which is defined in W3C: Mixed Content.
The upgrade-insecure-requests directive instructs user agents to treat all of a site's insecure URLs (those served over HTTP) as though they have been replaced with secure URLs (those served over HTTPS). This directive is intended for websites with large numbers of insecure legacy URLs that need to be rewritten.
The upgrade-insecure-requests directive will NOT ensure that users visiting your site via links on third-party sites will be upgraded to HTTPS for the top-level navigation and thus does not replace the Strict-Transport-Security (HSTS) header, which should still be set with an appropriate max-age to ensure that users are not subject to SSL stripping attacks.
Important
The upgrade-insecure-requests directive is evaluated before block-all-mixed-content and if it is set, the latter is effectively a no-op. Since block-all-mixed-content is obsolete, this should be used instead.
It is either on or off. It has no value.
upgrade-insecure-requests
❌ upgrade-insecure-requests does not fallback to default-src.
None
Content licensed under CC BY-SA.
- 🧪 Experimental, with limited support
⚠️ Important notes on usage- 🚫 Deprecated or obsolete
- base-uri
- block-all-mixed-content 🚫
- child-src
- connect-src
- default-src
- fenced-frame-src 🧪
- font-src
- form-action
- frame-ancestors
- frame-src
- img-src
- manifest-src
- media-src
- navigate-to 🚫
- object-src
- plugin-types 🚫
- prefetch-src 🚫
- referrer 🚫
- report-to 🧪
-
report-uri
⚠️ - require-trusted-types-for 🧪
- sandbox
- script-src-attr
- script-src-elem
- script-src
- style-src-attr
- style-src-elem
- style-src
- trusted-types 🧪
- upgrade-insecure-requests
- webrtc
- worker-src