The "Upgrade Insecure Requests" Content Security Policy can be used to automatically upgrade insecure (e.g. http:) requests to a secure alternative (e.g. https:) before a browser fetches them.

In practice, this helps avoid mixed-content warnings when a page is accessed via https:, but it contains references to resources using absolute http: URLs.

Like other Content Security Policies, the recommend approach is to enable it via a HTTP response header:

Content-Security-Policy: upgrade-insecure-requests

Nginx example:

add_header Content-Security-Policy upgrade-insecure-requests;

However, if you do not have control over the underlying web server, an alternative is to include this meta tag in your HTML's <head>:

<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">

More info: