What is the "Upgrade-Insecure-Requests" HTTP header?
Solution 1
Short answer: it's closely related to the Content-Security-Policy: upgrade-insecure-requests response header, indicating that the browser supports it (and in fact prefers it).
It took me 30mins of Googling, but I finally found it buried in the W3 spec.
The confusion comes because the header in the spec was HTTPS: 1, and this is how Chromium implemented it, but after this broke lots of websites that were poorly coded (particularly WordPress and WooCommerce) the Chromium team apologized:
"I apologize for the breakage; I apparently underestimated the impact based on the feedback during dev and beta."
— Mike West, in Chrome Issue 501842
Their fix was to rename it to Upgrade-Insecure-Requests: 1, and the spec has since been updated to match.
Anyway, here is the explanation from the W3 spec (as it appeared at the time)...
The
HTTPSHTTP request header field sends a signal to the server expressing the client’s preference for an encrypted and authenticated response, and that it can successfully handle the upgrade-insecure-requests directive in order to make that preference as seamless as possible to provide....
When a server encounters this preference in an HTTP request’s headers, it SHOULD redirect the user to a potentially secure representation of the resource being requested.
When a server encounters this preference in an HTTPS request’s headers, it SHOULD include a
Strict-Transport-Securityheader in the response if the request’s host is HSTS-safe or conditionally HSTS-safe [RFC6797].
Solution 2
This explains the whole thing:
The HTTP Content-Security-Policy (CSP) upgrade-insecure-requests directive instructs user agents to treat all of a site's insecure URLs (those served over HTTP) as though they have been replaced with secure URLs (those served over HTTPS). This directive is intended for web sites with large numbers of insecure legacy URLs that need to be rewritten.
The upgrade-insecure-requests directive is evaluated before block-all-mixed-content and if it is set, the latter is effectively a no-op. It is recommended to set one directive or the other, but not both.
The upgrade-insecure-requests directive will not ensure that users visiting your site via links on third-party sites will be upgraded to HTTPS for the top-level navigation and thus does not replace the Strict-Transport-Security (HSTS) header, which should still be set with an appropriate max-age to ensure that users are not subject to SSL stripping attacks.
Related videos on Youtube
![[Học Giao thức HTTP] Bài 25: Tìm hiểu Request Header - Authorization](https://i.ytimg.com/vi/v_0jkcfyB7g/hqdefault.jpg?sqp=-oaymwEcCOADEI4CSFXyq4qpAw4IARUAAIhCGAFwAcABBg==&rs=AOn4CLDfnz5sdEPEnPcmy3XUCUtaS6GLCQ)
04 : 40
![[Học Giao thức HTTP] Bài 22: Tìm hiểu Request Headers](https://i.ytimg.com/vi/Exij0lEgfh0/hqdefault.jpg?sqp=-oaymwEcCOADEI4CSFXyq4qpAw4IARUAAIhCGAFwAcABBg==&rs=AOn4CLBdTWyG2vTYuwUAuhpfzs34uoePnA)
07 : 22
05 : 00
07 : 19
09 : 27
06 : 02
16 : 06
06 : 10
06 : 47
Comments
-
user193130 almost 2 years
I made a POST request to a HTTP (non-HTTPS) site, inspected the request in Chrome's Developer Tools, and found that it added its own header before sending it to the server:
Upgrade-Insecure-Requests: 1After doing a search on
Upgrade-Insecure-Requests, I can only find information about the server sending this header:Content-Security-Policy: upgrade-insecure-requestsThis seems related, but still very different since in my case, the CLIENT is sending the header in the Request, whereas all the information I've found is concerning the SERVER sending the related header in a Response.
So why is Chrome (44.0.2403.130 m) adding
Upgrade-Insecure-Requeststo my request and what does it do?
Update 2016-08-24:
This header has since been added as a W3C Candidate Recommendation and is now officially recognized.
For those who just came across this question and are confused, the excellent answer by Simon East explains it well.
The
Upgrade-Insecure-Requests: 1header used to beHTTPS: 1in the previous W3C Working Draft and was renamed quietly by Chrome before the change became officially accepted.(This question was asked during this transition when there were no official documentation on this header and Chrome was the only browser that sent this header.)
-
dakab almost 8 yearsFirefox does it too. -
user193130 almost 8 yearsMust be new; I do development on Firefox first and this header definitely wasn't sent from Firefox last year.
-
-
Saeed Neamati almost 8 yearsI fail to understand it. I'ma.comand redirect you tob.com, while providing this header tob.comand sending some information. If you're not under a secure channel tob.com, a sniffing-attack can happen already, because I've sent data tob.comalongside my request. Can you guide us to a simple scenario of how it makes connections more secure for users? -
tne almost 8 years@SaeedNeamati Under a very strict perspective it doesn't make anything more secure. If you have normal security requirements then you have to make sure you connect via HTTPS first and not rely on this. That being said, I would describe this in the context of the idea of "Trust on First Use", which does help passively.
-
DUzun over 7 yearsI see this more as client's desire than security tool. It's like "DNT" header, server could ignore it, but yet it expresses client's will.
-
Simon East almost 7 yearsMy answer could actually be improved to properly explain how the client and server negotiate this. Feel free to suggest improvements if you'd like.
