Skip to content

Fix CSP Upgrade-Insecure-Requests for Mixed Content

DodaTech Updated 2026-06-26 2 min read

In this tutorial, you'll learn about Fix CSP Upgrade. We cover key concepts, practical examples, and best practices.

Your HTTPS page loads images, scripts, or styles over HTTP, triggering mixed content warnings or blocks. The browser blocks active mixed content (scripts, iframes) and may warn about passive mixed content (images, audio). The upgrade-insecure-requests CSP directive tells the browser to automatically rewrite all HTTP URLs to HTTPS before fetching them.

Wrong

Mixed content exists on an HTTPS page and each resource must be manually updated to HTTPS.

Page URL: https://example.com/page
<img src="http://images.example.com/photo.jpg">
<script src="http://cdn.example.com/analytics.js"></script>
<link rel="stylesheet" href="http://fonts.googleapis.com/css?family=Roboto">
Mixed Content: The page at 'https://example.com/page' was loaded over HTTPS,
but requested an insecure image 'http://images.example.com/photo.jpg'. This
content should also be served over HTTPS.

Mixed Content: The page at 'https://example.com/page' was loaded over HTTPS,
but requested an insecure script 'http://cdn.example.com/analytics.js'. This
request has been blocked; the content must be served over HTTPS.

The browser blocks the script entirely and may show a warning for the image. The stylesheet fails to load on some browsers.

Add upgrade-insecure-requests to the CSP header. The browser automatically upgrades every HTTP URL to HTTPS.

Content-Security-Policy: upgrade-insecure-requests
<img src="http://images.example.com/photo.jpg">
<script src="http://cdn.example.com/analytics.js"></script>
<link rel="stylesheet" href="http://fonts.googleapis.com/css?family=Roboto">

The browser internally rewrites all requests to HTTPS:

https://images.example.com/photo.jpg
https://cdn.example.com/analytics.js
https://fonts.googleapis.com/css?family=Roboto

With helmet:

app.use(helmet.contentSecurityPolicy({
  directives: {
    upgradeInsecureRequests: true,
  },
}));

No mixed content warnings appear. All resources load over HTTPS regardless of what the HTML specifies.

Prevention

  • Add upgrade-insecure-requests as the first directive in your CSP header for maximum compatibility.
  • Use this directive as a transitional measure while migrating all resource URLs to HTTPS in your source code.
  • Do not rely on upgrade-insecure-requests as a permanent solution. Update your HTML to use HTTPS URLs directly.
  • Combine with block-all-mixed-content if you want to block rather than upgrade passive mixed content.
  • The directive applies to all resource types: images, scripts, styles, fonts, media, and XHR requests.
  • If the HTTPS version of a resource does not exist or fails, the browser does not fall back to HTTP.

DodaTech Tools

Doda Browser shows both the original HTTP URL and the upgraded HTTPS URL in its network panel when upgrade-insecure-requests is active. DodaZIP's mixed content scanner identifies all HTTP resource references in HTML files for migration. Durga Antivirus Pro uses upgrade-insecure-requests across its management console to ensure all embedded threat feeds load over HTTPS.

FAQ

### Does upgrade-insecure-requests affect form submissions?

Yes. The directive also upgrades form action URLs from HTTP to HTTPS. If a form submits to an HTTP URL, the browser automatically changes the submission target to HTTPS. This prevents login credentials or other sensitive data from being sent over an unencrypted connection.

What happens if the HTTPS version of a resource does not exist?

If the upgraded HTTPS request fails (4xx or 5xx error), the browser does not fall back to HTTP. The resource simply fails to load. Before deploying upgrade-insecure-requests, verify that all external resources your page depends on are available over HTTPS.

Can I use upgrade-insecure-requests with a regular CSP?

Yes. upgrade-insecure-requests works alongside other CSP directives like default-src and script-src. The upgraded requests still need to comply with the rest of your CSP. For example, if script-src is 'self', an upgraded script from a CDN domain will still be blocked by script-src even after the URL upgrade succeeds.

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro