diff --git a/src/webui/webapplication.cpp b/src/webui/webapplication.cpp
index 983f9caaf..22d26b8b6 100644
--- a/src/webui/webapplication.cpp
+++ b/src/webui/webapplication.cpp
@@ -431,6 +431,7 @@ void WebApplication::configure()
 
     m_isClickjackingProtectionEnabled = pref->isWebUiClickjackingProtectionEnabled();
     m_isCSRFProtectionEnabled = pref->isWebUiCSRFProtectionEnabled();
+    m_isHttpsEnabled = pref->isWebUiHttpsEnabled();
 }
 
 void WebApplication::registerAPIController(const QString &scope, APIController *controller)
@@ -538,6 +539,9 @@ Http::Response WebApplication::processRequest(const Http::Request &request, cons
         header(Http::HEADER_X_FRAME_OPTIONS, "SAMEORIGIN");
         csp += QLatin1String(" frame-ancestors 'self';");
     }
+    if (m_isHttpsEnabled) {
+        csp += QLatin1String(" upgrade-insecure-requests;");
+    }
 
     header(Http::HEADER_CONTENT_SECURITY_POLICY, csp);
 
diff --git a/src/webui/webapplication.h b/src/webui/webapplication.h
index eabb08cd1..7713cd72b 100644
--- a/src/webui/webapplication.h
+++ b/src/webui/webapplication.h
@@ -146,4 +146,5 @@ private:
     // security related
     bool m_isClickjackingProtectionEnabled;
     bool m_isCSRFProtectionEnabled;
+    bool m_isHttpsEnabled;
 };