Enable HTTPS-only mode if your browser offers it: the setting tries the encrypted version of a site first and warns before using an insecure HTTP connection. It prevents an old link or mistyped address from quietly sending page contents across the network without HTTPS.
What the setting changes
Chrome calls the option Always use secure connections. Google says it upgrades URLs to HTTPS and shows a warning before visiting a site that does not support it. Firefox's HTTPS-Only Mode similarly attempts a secure connection and asks before falling back. Modern sites usually work without any extra step because they already serve HTTPS.
HTTPS provides transport security between the browser and the site identified by the certificate. It helps prevent someone on the same network from reading or altering page contents in transit. The address bar and certificate checks matter because encryption to the wrong or malicious site is still encryption.
What HTTPS cannot tell you
- It does not prove a shop, investment offer or download is legitimate.
- It does not stop the site from collecting information you submit.
- It does not remove cookies, fingerprinting or account tracking.
- It does not make a dangerous file safe to open.
Phishing sites can obtain valid certificates. Treat HTTPS as a secure pipe, not a character reference for whoever owns the destination. Read the full hostname, arrive through a trusted route and verify unusual requests independently.
When the warning is reasonable
An old device dashboard, local router page or archival site may lack HTTPS. Before continuing, decide whether the page will carry anything sensitive. Never enter a password, card number or private message through plain HTTP. For a local device, look for a firmware update and use the manufacturer's documented address rather than a search result.
Do not train yourself to click through
A security warning should interrupt the flow. If a familiar public site suddenly cannot establish HTTPS, stop and check the address, device clock and network. Try a different trusted network or the site's official status page. A captive portal may require a temporary sign-in step, but that does not justify ignoring warnings on unrelated pages.
Set up a stronger baseline
- Update the browser so its certificate and protocol support are current.
- Turn on HTTPS-only or always-secure-connections mode.
- Use encrypted DNS as a separate protection for domain lookups.
- Keep Safe Browsing or equivalent malicious-site warnings active.
- Use a password manager, which can help expose look-alike domains by refusing to autofill.
HTTPS-only mode is valuable because it changes failure from invisible to explicit. Most days it does nothing noticeable. On the day an old link, hostile network or misconfigured site tries to drop encryption, the warning gives you the chance to stop before sending data.
Sources & methodology2 sources - evidence for this revision
The records below show what each source supports in this published revision.
- Manage Chrome safety and securityGoogle Chrome Helpreference - Retrieved Jul 12, 2026
What it supportsChrome can upgrade URLs to HTTPS and warn before visiting a site without HTTPS.
- HTTPS-Only Mode in FirefoxMozilla Supportreference - Retrieved Jul 12, 2026
What it supportsFirefox HTTPS-Only Mode attempts HTTPS and asks before an HTTP fallback.



