We at Mozilla believe that people deserve privacy and one of the most important pieces of web privacy is provided through ubiquitous encryption. Because of this, we shipped HTTPS-First by default as of Firefox 136 (March 4th). The mechanism upgrades all page loads to HTTPS and also includes an automated fallback to HTTP if the page does not support HTTPS or does not load fast enough. While this opportunistic upgrading mechanism does not protect against active network attackers, it still favours HTTPS and prevents known pervasive internet monitoring attacks.

The HTTPS-First feature was developed over the course of many years, starting with an opt-in feature called HTTPS-Only mode in 2020: A drastic security feature that disallows all kinds of HTTP connections and asks the user for explicit consent to allow an insecure connection before proceeding. HTTPS-Only mode will live on as a strict protection and has proven a useful replacement to extensions like HTTPS Everywhere. Albeit its usefulness, we have learned that HTTPS-Only mode is an expert user mode that is mainly used by security conscious users and as such has a rather low adoption rate. Less than 1% of Firefox users enable it. We presumed that these numbers are due to two factors: First of all, HTTPS-Only mode is opt in. Only people who already know what security protections this feature offers or people who actually go through our long settings pages will discover and enable the feature. Secondly, whenever you face pages that do not use HTTPS, you get a rather scary warning that the site is unprotected. In essence, there is too little uptake to consider HTTPS-Only a meaningful protection for all of our users.

All of the aforementioned reasons encouraged us to start developing HTTPS-First as a mechanism with opportunistic HTTPS upgrades as well as an automated fallback mechanism instead of the warning. We enabled HTTPS-First by default for users in Private Browsing Mode in 2021, which provided a really useful experimentation ground and allowed us to protect more users right away. Following this, we started to fine-tune the upgrade heuristics and optimized our changes to align with existing websites and other browsers, which also lead to us shipping mixed content upgrades in June 2024. The following milestone shipped HTTPS-First for all pages loaded through the address bar.
In the meantime, we learned of misbehaving websites, incompatibilities, and corner cases which resulted in endless upgrade downgrade loops. Over the years, the code underwent dozens of algorithmic improvements, various new heuristics to unbreak many websites and also various changes to our test suites.
During this time, we also sought to understand HTTPS adoption across our user base and along the various mechanisms that web pages and browsers may apply to improve or simplify the migration from HTTP to HTTPS. Surveying user behavior and web security at scale led to our paper “The State of https Adoption on the Web”, which was accepted at Measurements, Attacks, and Defenses for the Web (MADWeb) 2025.

Chart for HTTPS Upgrade mechanisms - Firefox 134

Figure 1: Comparison for top-level (document) loads, relying on https, http, local http and the effectiveness of the various upgrading mechanisms for Firefox 134 (as appeared in our whitepaper)

As part of the study, we looked at the different mechanisms in Firefox that may lead to an upgrade of a navigation targeting an HTTP web page towards HTTPS. As we originally found in our study, more than 90% of links and redirects already target HTTPS from the start. Of the remaining loads, Firefox was already upgrading 1.7% using various mechanisms. The remaining 7.9% were therefore left aside as non-upgradable: We looked more deeply into those 7.9% and found that 5.5% of those are web pages on the local network, which likely do not support HTTPS because they cannot easily acquire valid certificates. And only the remaining 2.4% of loads actually happened on an insecure HTTP connection.
The 1.7% of upgradable content was mostly upgraded by HTTP Strict Transport Security (HSTS), followed by HTTPS-First (limited to loads from the address bar, at the time) and Web Extensions.
With all of these improvements, insights and the early feedback from our beta users, we made the switch and had HTTPS-First ship into release for all page loads with Firefox 136 in March 2025.

Chart for HTTPS Upgrade mechanisms - Firefox 136 Figure 2: The same comparison as above, but for the first three weeks of Firefox 136 with HTTPS-First enabled for all users.

We can see that HTTPS-First is now upgrading 57% of all upgradable content, surpassing all other known techniques. The chart also shows that HTTPS-First as it is currently implemented is still not the only mechanism to perform upgrades. This is intentional, as we prioritize upgrade mechanisms in the order specified in the Fetch standard. Some pages may still not be upgraded at all, because our heuristics only upgrade websites that immediately return a successful HTTPS connection. Typical examples are websites redirecting to a canonical domain (e.g., redirecting between www and non-www domains) or using the HTTP protocol scheme rather than HTTPS.

Evolution of HTTPS over time

Figure 3: The ratio of page loads happening via HTTPS compared to HTTP, aggregated over recent major Firefox versions.

Although we are still looking at early data, we can already see that HTTPS-First is a successful and user-friendly upgrading mechanism which allows securing the web for all mainstream Firefox release users. This solves the aforementioned issues we saw with HTTPS-Only Mode: The HTTPS-First feature is enabled for all users and does not trigger any new error pages. While we want to acknowledge that there are seasonal effects on web traffic at this scale, our telemetry suggests that HTTPS requests for Firefox users have increased by at least 1.5% with the release of HTTPS-First in Version 136.

While we drastically improved the state of https adoption on the web we are still not quite done on our path to ubiquitous encryption. On the road ahead we have to find better answers to questions about seasonal and regional effects (as highlighted in our paper). In addition, we also want to tune the aforementioned heuristics such that we can upgrade even more connections. At the same time, we can proudly say that HTTPS in Firefox is at an historic high and will trend upwards as we polish and optimize our latest improvements, without sacrificing user experience, performance or compatibility with the web at large.
And for those of you who want to be informed when visiting a page over an insecure HTTP connection or also those of you who do not shy away from error pages for unencrypted connections, we still recommend using HTTPS-Only mode.