I made a POST request to a HTTP (non-HTTPS) site, inspected the request in Chrome’s Developer Tools, and found that it added its own header before sending it to the server:

Upgrade-Insecure-Requests: 1

After doing a search on Upgrade-Insecure-Requests, I can only find information about the server sending this header:

Content-Security-Policy: upgrade-insecure-requests

This seems related, but still very different since in my case, the CLIENT is sending the header in the Request, whereas all the information I’ve found is concerning the SERVER sending the related header in a Response.

So why is Chrome (44.0.2403.130 m) adding Upgrade-Insecure-Requests to my request and what does it do?

Update 2016-08-24:

This header has since been added as a W3C Candidate Recommendation and is now officially recognized.

For those who just came across this question and are confused, the excellent answer by Simon East explains it well.

The Upgrade-Insecure-Requests: 1 header used to be HTTPS: 1 in the previous W3C Working Draft and was renamed quietly by Chrome before the change became officially accepted.

(This question was asked during this transition when there were no official documentation on this header and Chrome was the only browser that sent this header.)