Upgrade-Insecure-Requests header

Baseline Widely available

This feature is well established and works across many devices and browser versions. It’s been available across browsers since ⁨April 2018⁩.

The HTTP Upgrade-Insecure-Requests request header sends a signal to the server indicating the client's preference for an encrypted and authenticated response, and that the client can successfully handle the upgrade-insecure-requests CSP directive.

Header type	Request header
Forbidden request header	No

Syntax

http

Upgrade-Insecure-Requests: <boolean>

Directives

<boolean>: 1 indicates 'true' and is the only valid value for this field.

Examples

Using Upgrade-Insecure-Requests

A client's request signals to the server that it supports the upgrade mechanisms of upgrade-insecure-requests:

http

GET / HTTP/1.1
Host: example.com
Upgrade-Insecure-Requests: 1

The server can now redirect to a secure version of the site. A Vary header can be used so that the site isn't served by caches to clients that don't support the upgrade mechanism.

http

Location: https://example.com/
Vary: Upgrade-Insecure-Requests

Specifications

Specification
Upgrade Insecure Requests # preference

Browser compatibility

Help improve MDN

Learn how to contribute

This page was last modified on ⁨Jul 4, 2025⁩ by MDN contributors.

View this page on GitHub • Report a problem with this content

Upgrade-Insecure-Requests header

Syntax

Directives

Examples

Using Upgrade-Insecure-Requests

Specifications

Browser compatibility

See also

Help improve MDN