Upgrade-Insecure-Requests

[joonas-fi]

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Upgrade-Insecure-Requests

We could use this as a heuristic here:

edgerouter/pkg/erserver/serve.go

Lines 141 to 144 in af2531a

	notSecure := r.TLS == nil
	if notSecure && !mount.allowInsecureHTTP { // important that this is done before stripPrefix
	redirectHTTPToHTTPS(w, r) // come back when you have TLS, bro

Counter-argument: this allows downgrade attacks by a MITM attacker removing the header

Further analysis required