=Connection upgrades= Firefox may upgrade a connection to a website from the insecure HTTP protocol to the secure HTTPS protocol for several reasons. Secure connections help ensure that the websites you visit are authentic and that the data you send cannot be intercepted. Today, most websites support the HTTPS protocol, so upgrading connections should only cause issues in rare cases. Even when a link includes the <code>http://</code> scheme, Firefox may still attempt to upgrade the connection. This happens because, while most websites now support HTTPS, many older <code>http://</code> links remain in use. =Different upgrade mechanisms= Connection upgrade mechanisms can be categorized based on two factors: #Who initiates the upgrade (the browser or the web server). #The type of connection being upgraded. The sections below explain these mechanisms in detail. ==Server initiated pgrades== When a web server indicates that it supports HTTPS, the browser can automatically switch to a secure connection. The server can use several methods to achieve this: * [https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security HTTP Strict Transport Security (HSTS)] is a standard which lets websites communicate to the browser that they support secure connections and the browser will remember this for future connections. It is supplemented by a built-in list of such sites, the [https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security#Solutions_with_preload_list HSTS preload list]. * [https://developer.mozilla.org/en-US/docs/Glossary/HTTPS_RR HTTPS Resource Records (HTTPS RR)] are special DNS entries which tell a browser that a web server supports HTTPS. * While not technically a connection upgrade, many websites redirect HTTP connections to HTTPS using the redirection status codes like [https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/301 301 Moved Permanently]. ==Browser initiated upgrades== If the browser cannot determine whether a web server supports HTTPS, it may still attempt to upgrade the connection. Because HTTPS is widely supported, this process is often successful. Firefox supports several browser-initiated upgrade features: * [[HTTPS-First - Upgrades to Secure Connections]] is a feature which has been in Firefox since version 136. It ensures that all connections attempt to use HTTPS first, before falling back to HTTP in case of failure. This will always select the most secure option, without bothering users. * [[HTTPS-Only Mode in Firefox]] is a setting which users can enable to ensure that Firefox will never establish an insecure connection without prompting the user first. While most sites support HTTPS today, most users are annoyed when they encounter a site which does not support it and find this setting to strict. It is therefore not enabled by default. * There are several web extensions which perform some kind of connection upgrade. But these mostly serve specific use-cases for expert audiences. ==Other requests== The mechanisms described above primarily apply to “top-level” or navigation requests, such as typing a URL into the address bar or clicking on a link. Firefox also handles other types of requests, such as downloading images or other subresources for a webpage. While [[HTTPS-Only Mode in Firefox]] applies to all requests, subresources are typically upgraded using the following mechanisms: * A [https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/upgrade-insecure-requests upgrade-insecure-requests] [https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP Content Security Policy (CSP)] directive on a webpage will upgrade subresource requests. * The [https://developer.mozilla.org/en-US/docs/Web/Security/Mixed_content Mixed Content Algorithm] ensures that if the top-level request for a site was encrypted subresources will either also be loaded securely, or the connection is blocked.

Connection upgrades

Firefox may upgrade a connection to a website from the insecure HTTP protocol to the secure HTTPS protocol for several reasons. Secure connections help ensure that the websites you visit are authentic and that the data you send cannot be intercepted. Today, most websites support the HTTPS protocol, so upgrading connections should only cause issues in rare cases. Even when a link includes the http:// scheme, Firefox may still attempt to upgrade the connection. This happens because, while most websites now support HTTPS, many older http:// links remain in use.

Different upgrade mechanisms

Connection upgrade mechanisms can be categorized based on two factors:

1. Who initiates the upgrade (the browser or the web server).
2. The type of connection being upgraded.

The sections below explain these mechanisms in detail.

Server initiated pgrades

When a web server indicates that it supports HTTPS, the browser can automatically switch to a secure connection. The server can use several methods to achieve this:

• HTTP Strict Transport Security (HSTS) is a standard which lets websites communicate to the browser that they support secure connections and the browser will remember this for future connections. It is supplemented by a built-in list of such sites, the HSTS preload list.
• HTTPS Resource Records (HTTPS RR) are special DNS entries which tell a browser that a web server supports HTTPS.
• While not technically a connection upgrade, many websites redirect HTTP connections to HTTPS using the redirection status codes like 301 Moved Permanently.

Browser initiated upgrades

If the browser cannot determine whether a web server supports HTTPS, it may still attempt to upgrade the connection. Because HTTPS is widely supported, this process is often successful. Firefox supports several browser-initiated upgrade features:

• HTTPS-First upgrades to secure connections is a feature which has been in Firefox since version 136. It ensures that all connections attempt to use HTTPS first, before falling back to HTTP in case of failure. This will always select the most secure option, without bothering users.
• HTTPS-Only Mode in Firefox is a setting which users can enable to ensure that Firefox will never establish an insecure connection without prompting the user first. While most sites support HTTPS today, most users are annoyed when they encounter a site which does not support it and find this setting to strict. It is therefore not enabled by default.
• There are several web extensions which perform some kind of connection upgrade. But these mostly serve specific use-cases for expert audiences.

Other requests

The mechanisms described above primarily apply to “top-level” or navigation requests, such as typing a URL into the address bar or clicking on a link. Firefox also handles other types of requests, such as downloading images or other subresources for a webpage. While HTTPS-Only Mode in Firefox applies to all requests, subresources are typically upgraded using the following mechanisms:

• A upgrade-insecure-requests Content Security Policy (CSP) directive on a webpage will upgrade subresource requests.
• The Mixed Content Algorithm ensures that if the top-level request for a site was encrypted subresources will either also be loaded securely, or the connection is blocked.