The server supports both HTTP and HTTPS. Upgrade Insecure Requests
1. สร้างไฟล์ .htaccess
2. เพิ่ม Code ด้านล่างนี้เข้าไปครับ
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
Header always set Content-Security-Policy "upgrade-insecure-requests;"
หรือแทรกcodeนี้ใน ส่วน head ของเว็บ
<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">
อ้างอิง
Migrate easily to HTTP with the Upgrade Insecure Requests CSP directive
"Upgrade Insecure Requests" is a CSP (Content Security Policy) directive that allows you to indicate to HTTP clients/browsers that all resources must be accessed via HTTPS.
This allows you to migrate more easily to HTTPS websites or webapps that contain a great number of HTTP-declared resources. Your resources will automatically be requested on HTTPS by the client/browser, without any mixed content alert.
You will of course need your resource servers to be accessible using HTTPS.
Support
Upgrade Insecure Requests is supported by, at least, Mozilla Firefox (42+), Google Chrome (43+), Opera (30+), Android Browser (56+), Chrome for Android, Safari Mac (10.1+), Safari iOS (10.3+).
The feature is under consideration by Microsoft for Edge. Internet Explorer is not compatible.
Implementation
To implement this feature on your web server, you only need to declare a new HTTP header in your site's configuration.
Apache
For Apache, you will first need to load the header module. For instance:
LoadModule headers_module modules/mod_headers.so
You will then need to charge the header in your virtual host:
Header always set Content-Security-Policy "upgrade-insecure-requests;"
IIS
IIS allows you to add custom HTTP headers. You just have to add a header with the name Content-Security-Policy and the value upgrade-insecure-requests;.
Nginx
For Nginx, you just have to add the following instruction to your server block:
add_header Content-Security-Policy upgrade-insecure-requests;
Lighthttpd
You will first need to load the setEnv module by adding this instruction to your configuration:
server.modules += ( "mod_setenv" )
Then, you can enable it for your site:
setenv.add-response-header = ( "Content-Security-Policy" => "upgrade-insecure-requests;" )
Others
You can configure this feature on all servers allowing you to configure your HTTP headers by adding a "Content-Security-Policy" header with the value "upgrade-insecure-requests;".
