use Content-Security-Policy to ask the web browser to update the request when it loads the page

Header always set Content-Security-Policy: upgrade-insecure-requests