Protocols
Protocol directives in CSP help secure your website by controlling how resources are loaded. Learn about blocking mixed content and upgrading insecure requests to enhance your site's security posture.
block-all-mixed-content
block-all-mixed-content
The block-all-mixed-content directive prevents the browser from loading any mixed content, ensuring that all resources are loaded over HTTPS.
Tips & Tricks
This directive is deprecated and replaced by the upgrade-insecure-requests directive.
Using this directive may break functionality on pages that rely on HTTP resources. Ensure all resources are available over HTTPS before implementing.
Examples
Block all mixed content
Content-Security-Policy: block-all-mixed-content;Allowed
<img src='https://example.com/image.jpg'>Blocked
<img src='http://example.com/image.jpg'> <!-- Will be blocked -->
upgrade-insecure-requests
upgrade-insecure-requests
The upgrade-insecure-requests directive instructs the browser to upgrade HTTP requests to HTTPS before fetching, helping to secure communication by avoiding mixed content.
Recommended Values
upgrade-insecure-requests
Instructs the browser to upgrade HTTP requests to HTTPS before fetching
Instructs the browser to upgrade HTTP requests to HTTPS before fetching
Explore detailed value definitions
Tips & Tricks
This directive is particularly useful when migrating large sites from HTTP to HTTPS, as it reduces the need to update all resource links manually.
While this directive upgrades requests, it doesn't guarantee that the upgraded requests will succeed. The server must support HTTPS for the resources.
Examples
Upgrade all insecure requests to HTTPS
Content-Security-Policy: upgrade-insecure-requests;Allowed
<img src='https://example.com/image.jpg'>Blocked
<img src='http://example.com/image.jpg'> <!-- Will be upgraded to HTTPS -->