Skip to Main Content

The new 1Password Community is live!

Join now

Navigation Failed Because The Request Was For An Http Url With Https-only Enabled Access

April 14, 2026 | Reading Time: 4 minutes

// Option A: Protocol-relative (Uses whatever the parent page uses) fetch('//mybackend.com/api/data'); // Option B: Absolute HTTPS (Forces encryption) fetch('https://mybackend.com/api/data');

If you are using Firefox (which popularized this feature) or any modern browser with strict security settings, you’ve likely hit this wall. In this post, we’ll break down why this happens, where the request is actually going, and three concrete ways to fix it without turning off security entirely. The error message is actually very literal. Your browser attempted to fetch a resource (an image, a script, an API endpoint, or a page navigation) using the standard http:// protocol. However, the browser’s internal HTTPS-Only Mode is active, and it is refusing to downgrade to unencrypted HTTP. April 14, 2026 | Reading Time: 4 minutes

https://yourapp.com/api/proxy ➔ Your Server (Node.js/NGINX): http://legacy-vendor.com/data ➔ Back to Browser.

Audit your code for stray http:// references today—your users’ browsers are already doing the same. Your browser attempted to fetch a resource (an

HTTPS-Only mode forces the browser to automatically upgrade every request to HTTPS. If the upgrade fails (or if you explicitly hardcode http:// ), the browser throws an error instead of falling back to unsafe HTTP. You cannot fix this by telling your users to turn off HTTPS-Only mode. Instead, you need to fix your code or infrastructure. Fix 1: Use Protocol-Relative or Absolute HTTPS URLs (The Easiest) Never hardcode http:// or https:// in your frontend code. Use protocol-relative URLs (starting with // ) or absolute paths.

// Option C: Just use a relative path if on the same origin fetch('/api/data'); If the browser is trying to access your http:// resource because your server is misconfigured, you can train the browser to never use HTTP again via HTTP Strict Transport Security (HSTS) . Audit your code for stray http:// references today—your

Add this header to your server (Apache/NGINX):