For years now, Google has been one of the biggest proponents of using a more secure HTTPS connection everywhere possible. Google’s latest optional push, “HTTPS-Only Mode,” would make older HTTP websites inaccessible in Chrome.

HTTPS was once a marker of a website’s safety and a security measure reserved only for websites with things that needed special protection like financial transactions. Now, standard HTTP is treated as explicitly “Not Secure” by Chrome. To better keep your information safe, Chrome even warns about the usage of an insecure form (submitting to an HTTP address) on a secure HTTPS website.

The latest change for HTTP & HTTPS in Chrome is the upcoming addition of an “HTTPS-Only Mode,” as laid out in a new code change. As is the case with most new Chrome features, it will initially be hidden behind a flag in chrome://flags.

HTTPS-Only Mode Setting

Adds a setting under chrome://settings/security to opt-in to HTTPS-Only Mode. — Mac, Windows, Linux, Chrome OS, Android


Once the feature is available, a new setting for HTTPS-Only Mode will appear in Chrome’s settings — on the “Security” page, under the “Advanced” heading — as a simple toggle to “Always use secure connections.” By default, the toggle will be set to disabled.

Chrome setting that reads:
"Always use secure connections
Upgrade all navigations to HTTPS and warn you before loading sites that don't support it"

If you decide to turn the toggle on, Chrome will automatically “upgrade” any website you try to browse from the HTTP version to HTTPS, if available. Since Chrome already defaults to using HTTPS if you don’t specify http:// or https://, this is essentially limited to links that you may click or times when you manually type in an http:// url into the address bar.

If there isn’t an HTTPS version of a site — whether because the site is outdated, or it’s intentionally disabled as is the case for sites like NeverSSL — Chrome will show an interstitial warning page before reverting back to HTTP.

Presumably, this page will warn you that the site you’re seeking to browse is not available in HTTPS, so to access it you’d need to let it bypass your preference to only view secure sites. Any site that you allow to bypass HTTPS-Only Mode will be saved by Chrome so it won’t ask you again next time.

Considering HTTPS-Only Mode is still a work in progress, it likely won’t arrive in Chrome — including desktop, Android, and Chrome OS — until version 93 or 94, which are set to release in August and September, respectively.

More on Chrome:

FTC: We use income earning auto affiliate links. More.

Check out 9to5Google on YouTube for more news:

You’re reading 9to5Google — experts who break news about Google and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Google on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

About the Author

Kyle Bradshaw

Kyle is an author and researcher for 9to5Google, with special interests in Made by Google products, Fuchsia, and Stadia.

Got a tip or want to chat? Twitter or Email.