Starting with Chrome 154 (scheduled October 2026), Google Chrome will enable HTTPS-First mode by default for all users. This means HTTP websites will show a full-page interstitial warning — users must click through to proceed, similar to the “Your connection is not private” warning.
This is the most significant browser enforcement change since Chrome started marking HTTP as “Not Secure” in 2018.
What changes
| Before (current) | After (Chrome 154+) | |
|---|---|---|
| HTTP page | ”Not Secure” text in address bar | Full-page warning requiring user action |
| User effort to access HTTP | None — page loads normally | Must click “Continue to site” |
| Default behavior | Load HTTP if no HTTPS available | Try HTTPS first, warn if only HTTP |
| User perception | Minor label, often ignored | Scary warning, most users will leave |
Timeline
| Date | Chrome version | Change |
|---|---|---|
| January 2017 | Chrome 56 | ”Not Secure” on HTTP pages with passwords |
| July 2018 | Chrome 68 | ”Not Secure” on all HTTP pages |
| 2023 | Chrome 115 | HTTPS-First as opt-in setting |
| 2024 | Chrome 124 | HTTPS-First auto-enabled for users who mostly use HTTPS |
| October 2026 | Chrome 154 | HTTPS-First default for everyone |
Who’s affected
Any website still serving over HTTP. As of 2026, this is roughly 13% of websites worldwide. If your site:
- Has no SSL certificate
- Has a certificate but doesn’t redirect HTTP to HTTPS
- Has an expired certificate
…Chrome users will see a full-page warning instead of your content.
What to do
If your site already uses HTTPS with a valid certificate and redirects HTTP traffic — nothing changes for you. Chrome tries HTTPS first and succeeds.
If your site is still on HTTP:
Step 1: Get a certificate (5 minutes)
Use GetHTTPS to get a free Let’s Encrypt certificate. No installation needed — works in your browser.
Step 2: Install it
Nginx | Apache | cPanel | WordPress | IIS | All platforms →
Step 3: Redirect HTTP to HTTPS
Set up 301 redirects so all HTTP traffic goes to HTTPS. This is critical — without it, Chrome still shows the warning for users who type http://.
Step 4: Fix mixed content
Ensure all resources on your pages load over HTTPS. Mixed content guide →
Impact on SEO
This change amplifies the existing HTTPS ranking signal:
- HTTP sites will see dramatically higher bounce rates as users hit the warning and leave
- Higher bounce rates → lower engagement metrics → lower rankings
- Google has been signaling this direction since 2014 — HTTPS is no longer optional
Other browsers following
Chrome isn’t alone:
- Firefox — has been rolling out HTTPS-Only mode as an opt-in, expected to follow Chrome’s lead
- Safari — already warns on HTTP pages with forms, likely to expand
- Edge — follows Chrome’s Chromium base, will inherit the change
Frequently asked questions
Will Chrome completely block HTTP sites?
Not initially. HTTPS-First shows a warning that users can bypass. It’s not a hard block. But the warning is scary enough that most users won’t proceed — effectively killing HTTP traffic for consumer-facing sites.
My site has HTTPS but some pages still use HTTP links
Chrome tries HTTPS first. If it gets a valid HTTPS response, the warning doesn’t appear. But you should still redirect HTTP to HTTPS and fix mixed content for a clean experience.
What about development/staging servers?
localhost is exempt from HTTPS-First. For staging servers on real domains, either get a certificate (GetHTTPS takes 5 minutes) or use self-signed certificates and add a browser exception.
How much time do I have?
Chrome 154 is scheduled for October 2026, roughly 5 months from now. Given that getting a free certificate takes 5 minutes, there’s no reason to wait.
Is this related to the 47-day certificate change?
No. The 47-day validity change (by 2029) is about certificate lifespan — how often you renew. HTTPS-First is about browser behavior — whether HTTP sites load without warnings. They’re independent changes, both pushing toward universal HTTPS.