diff --git a/app.js b/app.js
index 54ec6cf..8af029e 100644
--- a/app.js
+++ b/app.js
@@ -126,6 +126,11 @@ if (config.csp.enable) {
       directives[propertyName] = directive;
     }
   }
+  if(config.csp.upgradeInsecureRequests === 'auto') {
+    directives.upgradeInsecureRequests = config.usessl === 'true'
+  } else {
+    directives.upgradeInsecureRequests = config.csp.upgradeInsecureRequests === 'true'
+  }
   app.use(helmet.contentSecurityPolicy({
     directives: directives
   }))
diff --git a/lib/config/default.js b/lib/config/default.js
index e207dfc..217d11d 100644
--- a/lib/config/default.js
+++ b/lib/config/default.js
@@ -20,8 +20,9 @@ module.exports = {
       defaultSrc: ["'self'"],
       scriptSrc: ["'self'"],
       styleSrc: ["'self'", "'unsafe-inline'"],
-      fontSrc: ["'self'"]
-    }
+      fontSrc: ["'self'"],
+    },
+    upgradeInsecureRequests: 'auto'
   },
   protocolusessl: false,
   usecdn: true,