Towards HTTPS by default

Chrome has achieved significant progress in securing web traffic, with over 90% of navigations now using HTTPS. However, a stubborn minority of traffic remains on HTTP, leaving users vulnerable to network attackers. To address this, Chrome is implementing HTTPS-First Mode, which requires explicit permission before connecting to insecure sites. Automatic upgrades will seamlessly redirect HTTP requests to HTTPS, ensuring that insecure HTTP is used only when absolutely necessary. Chrome will also warn users before downloading high-risk files over insecure connections, protecting against malicious code. HTTPS-First Mode protections are being expanded to Advanced Protection Program users and Incognito Mode. Chrome is exploring automatic HTTPS-First Mode enablement for users with minimal HTTP usage. Developers are encouraged to fully adopt HTTPS and redirect HTTP URLs to HTTPS equivalents to avoid warnings and ensure user security. Enterprise networks can customize or disable these features through specific policies. Chrome remains committed to making the web secure by default, with HTTPS-First Mode as a major step towards this goal. Users can enable HTTPS upgrading and insecure download warnings in Chrome settings. For developers, ensuring HTTPS support and avoiding HTTP-only content is crucial to maintain user security.