Here at Peakhour, we track browser security changes because they affect how sites are delivered and how users experience warnings. Google Chrome has made another move towards encrypted and authenticated traffic by expanding HTTPS-First Mode. Here is what Chrome unveiled on August 16, 2023, and what it means for HTTPS by default.
Automatic Upgrades to HTTPS
Chrome aims to make HTTPS the standard protocol by automatically upgrading all HTTP navigations to HTTPS. Even if you click a link explicitly declaring HTTP, Chrome will try HTTPS first. If the upgrade fails because of an invalid certificate or another issue, Chrome will fall back to HTTP.
The change is part of an experiment in Chrome version 115. It does not protect against active network attackers, but it does shift more everyday traffic away from passive eavesdropping and towards HTTPS as the default.
Warning on Insecurely Downloaded Files
Chrome is also adding warnings before users download high-risk files over insecure connections. Downloaded files can contain malicious code that compromises a computer. The warning gives users a clearer signal before they proceed, while still allowing the download if they accept the risk. The rollout of these warnings is expected to start in mid-September.
Expanding HTTPS-First Mode Protections
Chrome's longer-term goal is to enable HTTPS-First Mode for all users. It is expanding those protections in several areas:
- Enabling HTTPS-First Mode for users in Google's Advanced Protection Program who are also signed into Chrome.
- Planning to enable HTTPS-First Mode by default in Incognito Mode for a more secure browsing experience.
- Experimenting with automatically enabling HTTPS-First Mode on sites frequently accessed over HTTPS.
- Exploring automatically enabling HTTPS-First Mode for users who rarely use HTTP.
Try it Out
For users who want to try HTTPS upgrading or insecure download warnings before the full rollout, Chrome has provided options in the browser's settings to enable these features.
Peakhour's HTTPS Redirection Feature at the Edge
At Peakhour, HTTPS redirection is a practical edge control. It helps enforce encrypted and authenticated connections before a request reaches the origin.
When a user attempts to access a site over HTTP, our edge identifies the unsecured connection. Instead of allowing that connection through, we redirect the request to the HTTPS version of the site.
- Enhanced Security: By enforcing HTTPS, data transmitted between your website and your users is encrypted and protected from potential attackers.
- Compliance with Best Practices: This feature aligns with industry standards and recent browser policies, including Chrome's push towards HTTPS-first mode.
- User Trust: A secure connection gives users a clearer reason to trust the site, improving the user experience and potentially supporting higher conversion rates.
We also offer options for customisation, allowing you to set specific rules and behaviours for how HTTP requests are handled and redirected to HTTPS. Peakhour's HTTPS redirection feature at the edge is a small control with a clear job: move HTTP traffic onto HTTPS automatically, protect users, and keep sites aligned with current browser expectations.
Final Thoughts
Chrome's push towards a secure-by-default web is another step towards a fully encrypted and authenticated internet. It also matches the way Peakhour thinks about everyday security controls: enforce the basics at the edge, and make the safe path the default.
Chrome's changes may require developers, enterprises, and users to adapt. The direction is still clear: less plain HTTP, more HTTPS by default, and fewer silent insecure paths. If your organisation is reviewing its HTTP handling, Peakhour can help you apply the right redirects and edge rules.
