Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Once the browser sees this header, it will automatically convert all future http:// requests to https:// before they are sent, eliminating the error. Sometimes you cannot control the external API—maybe a legacy vendor only serves HTTP. In this case, do not call the HTTP endpoint directly from the browser. Call your own HTTPS backend, and let your server proxy the request to the HTTP vendor.
The golden rule of 2026 is simple: APIs, images, iframes, and fonts. Call your own HTTPS backend, and let your
// Option A: Protocol-relative (Uses whatever the parent page uses) fetch('//mybackend.com/api/data'); // Option B: Absolute HTTPS (Forces encryption) fetch('https://mybackend.com/api/data'); Call your own HTTPS backend
Add this header to your server (Apache/NGINX): Call your own HTTPS backend, and let your
fetch('http://mybackend.com/api/data'); <img src="http://cdn.example.com/logo.png">
The “Navigation Failed” Paradox: Debugging HTTP Requests in an HTTPS-Only World
Audit your code for stray http:// references today—your users’ browsers are already doing the same.