Chrome to Warn Users Before Loading HTTP Sites Starting Next Year

In a major security update, Google Chrome will by default prompt users before accessing public websites that use the unencrypted HTTP protocol. The change is slated to take effect with the release of Chrome version 154 in October 2026.

What Is Changing

Chrome currently supports an opt-in setting, “Always Use Secure Connections,” which attempts a secure HTTPS connection first and displays a warning if only HTTP is available. Under the new plan:

• With Chrome 154 (October 2026), the “Always Use Secure Connections” setting will be enabled by default for all users.
• In a phased rollout, Chrome 147 in April 2026 will enable the setting by default for users who have opted into Enhanced Safe Browsing—more than 1 billion users.
• When a user attempts to visit a public website that does not support HTTPS, Chrome will show a bypassable warning explaining the security risks of an unencrypted connection.
• The warning system will not apply to private sites (for example, local IPs, intranet pages, or short hostnames) although these are still acknowledged as posing risk.
• To prevent “warning fatigue,” Chrome will limit how often it displays warnings for the same insecure site. According to Google’s internal testing, the median user sees fewer than one warning per week, and the 95th percentile fewer than three per week.

Background and Context

The push toward HTTPS (the encrypted version of HTTP) has been underway for many years. Encryption helps prevent attackers from intercepting or altering data exchanged between a browser and a website.

According to Google’s own data, HTTPS adoption in Chrome-based traffic rose sharply from around 30–45 % in 2015 to approximately 95–99 % by 2020.

However, progress has since flattened, leaving a small but meaningful share of website navigations still using HTTP. Google argues that even a small percentage of insecure connections represents millions of opportunities for attackers to exploit.

Why It Matters

The change underscores how even one insecure HTTP connection can pose a risk. When data is transmitted over HTTP instead of HTTPS, attackers operating on the same network (such as public Wi-Fi) can intercept or redirect traffic—potentially loading malicious content or phishing pages without a user’s awareness.

For website operators still running HTTP-only sites, the upcoming change means that visitors using Chrome may begin receiving warnings, which could influence user behaviour and trust. Entities responsible for high-volume HTTP traffic are already being contacted by Google and encouraged to migrate to HTTPS.

Implications for Developers and IT Teams

• Website owners of public-facing HTTP sites should plan for migration to HTTPS. Google recommends enabling the “Always Use Secure Connections” setting now (via chrome://settings/security) to identify any remaining HTTP sites.
• Internal or private-network sites (e.g., devices on local IPs or enterprise intranet hostnames) are not immediately subject to warnings, because certificate issuance for “non-unique” names is more complex.
• Organisations (especially enterprise/education) deploying Chrome fleet-wide can configure the setting as needed and manage how warnings are presented to end-users.

Looking Ahead

While this initiative marks a significant step toward securing web traffic, it is not the final word. Google has indicated it intends to further reduce barriers to HTTPS adoption for private-network and mixed-content scenarios in future updates.

As Chrome moves to make secure connections the default, the broader web ecosystem (including site owners, certificate authorities and device manufacturers) will need to align to ensure compatibility and minimize disruption.