Google has announced that Chrome will enforce HTTPS by default for all public websites starting with version 154, scheduled for release in October 2026.
The change will activate the “Always Use Secure Connections” setting by default, requiring user approval before visiting any public site that doesn't support HTTPS.
The decision follows several years of incremental security improvements, including the introduction of optional HTTPS-first modes and warnings for insecure downloads.
Initially introduced in 2022 as an opt-in security feature, “Always Use Secure Connections” forces Chrome to attempt all site navigations over HTTPS. If HTTPS is unavailable, users are shown a bypassable warning. The feature was designed to mitigate risks associated with unencrypted traffic, such as man-in-the-middle attacks and the injection of malicious or misleading content by attackers.
While 95–99% of Chrome page loads already occur over HTTPS, Google's transparency reports indicate that this rate has stagnated since around 2020. This remaining 1–5% of traffic still represents a substantial security risk, especially because a single insecure navigation can be enough for an attacker to gain a foothold. HTTP navigations are often invisible to users due to automatic redirection to HTTPS, which removes any opportunity to intervene before a potential compromise.
Chrome currently distinguishes between public and private sites when analyzing HTTP usage. Public sites include domains like example.com, while private sites use local addresses such as 192.168.0.1, hostnames like intranet/, or internal shortlinks. HTTPS adoption for private sites remains challenging due to the lack of a certifiable ownership model. As a result, the new default setting in Chrome 154 will apply only to public sites to minimize friction for enterprise users and developers who routinely access internal systems.
Chrome 154's enforcement builds on experiments conducted earlier in Chrome 141, which validated that users rarely encountered warnings. This low warning volume reinforces Google's belief that enabling the setting by default will not be disruptive. A transition phase is scheduled for April 2026 with Chrome 147, when the feature will be activated for users enrolled in Chrome's Enhanced Safe Browsing program.
Google Chrome, with over 3 billion users globally, is the world's most widely used web browser. Its security team plays a leading role in web standardization efforts, particularly around HTTPS adoption and browser hardening. Chrome's security posture heavily influences industry-wide practices, and this latest move is expected to push lagging sites to complete their migration to HTTPS.
While the new behavior may affect older or less-maintained public websites that have not yet enabled HTTPS, Chrome will avoid repeatedly warning users about sites they visit regularly. This should reduce user fatigue while preserving protection against first-time or rare visits to insecure destinations. Chrome will also continue to allow users to disable the setting manually, though the default will favor HTTPS.
Leave a Reply