Understanding the Upgrade-Insecure-Requests HTTP Security Header

Key Benefit: Automatically upgrade HTTP connections to HTTPS, ensuring secure data transmission between clients and servers.

The Upgrade-Insecure-Requests HTTP header plays a key role in modern web security by encouraging secure connections between clients and servers. Although it is technically a request header, it has significant implications for overall security and how web servers handle requests.

What Is the Upgrade-Insecure-Requests Header?

Upgrade-Insecure-Requests is an HTTP request header that informs the server a client is capable of handling—and prefers—an encrypted (HTTPS) version of the requested resource. When this header is sent, the browser is effectively signaling that it supports upgrading any non-secure (HTTP) links to secure (HTTPS) links.

Header Type: Request header
Forbidden Request Header: No
Syntax: 
Upgrade-Insecure-Requests: 1

How It Works

Client Support

The browser or client includes an Upgrade-Insecure-Requests: 1 header in its HTTP request.

Server Recognition

Upon receiving this header, the server recognizes that the client can handle a transition to HTTPS.

Redirect to HTTPS

If the requested resource is not already served via HTTPS, the server can issue a redirect (3xx) to the secure version.

Vary Header Usage

The server can set Vary: Upgrade-Insecure-Requests to differentiate between users who can be upgraded.

Server Implementation

<VirtualHost *:80>
    ServerName example.com
    
    RewriteEngine On
    
    # Check if the Upgrade-Insecure-Requests header is set to 1
    RewriteCond "%{HTTP:Upgrade-Insecure-Requests}" "1"
    # Redirect to HTTPS if the condition matches
    RewriteRule "^/(.*)" "https://example.com/$1" [R=301,L]
    
    # You can also set the Vary header to ensure proper caching
    Header add Vary "Upgrade-Insecure-Requests"
</VirtualHost>
server {
    listen 80;
    server_name example.com;
    
    # Redirect to HTTPS if the header is set
    if ($http_upgrade_insecure_requests = 1) {
        return 301 https://example.com$request_uri;
    }

    # Additional server configuration goes here
}
<configuration>
  <system.webServer>
    <rewrite>
      <rules>
        <rule name="UpgradeInsecureRequestsRedirect" stopProcessing="true">
          <match url="(.*)" ignoreCase="true" />
          <conditions>
            <add input="{HTTP_UPGRADE_INSECURE_REQUESTS}" pattern="1" />
          </conditions>
          <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" 
                  redirectType="Permanent" />
        </rule>
      </rules>
    </rewrite>
  </system.webServer>
</configuration>

Security Risks

Missed Opportunity for Encryption

Failing to respond with an HTTPS version leaves data traveling over an insecure channel.

Session Hijacking

When HTTP connections remain unencrypted, attackers can intercept session cookies or tamper with data.

Lack of Visibility

Without considering this header, you lose insight into which clients prefer secure upgrades.

Additional Resources

MDN Web Docs

Complete documentation on the Upgrade-Insecure-Requests header

W3C Specification

Official W3C specification for Upgrade-Insecure-Requests

web.dev Security Headers Guide

Google's comprehensive guide to HTTP security headers

Related Security Headers

Learn about other HTTP security headers to strengthen your website's security:

Cross-Origin-Embedder-Policy (COEP) Cross-Origin-Resource-Policy (CORP) Content-Security-Policy (CSP) Content-Security-Policy-Report-Only Expect-CT (Deprecated) Permissions-Policy Reporting-Endpoints (Experimental) Strict-Transport-Security (HSTS) Upgrade-Insecure-Requests X-Content-Type-Options X-Frame-Options (XFO) X-Permitted-Cross-Domain-Policies X-Powered-By X-XSS-Protection (Deprecated)