diff --git a/lib/content_security_policy/default.rb b/lib/content_security_policy/default.rb
index f3382e3f77c..daebd99df50 100644
--- a/lib/content_security_policy/default.rb
+++ b/lib/content_security_policy/default.rb
@@ -8,6 +8,7 @@ class ContentSecurityPolicy
     def initialize(base_url:)
       @base_url = base_url
       @directives = {}.tap do |directives|
+        directives[:upgrade_insecure_requests] = [] if SiteSetting.force_https
         directives[:base_uri] = [:none]
         directives[:object_src] = [:none]
         directives[:script_src] = script_src
diff --git a/spec/lib/content_security_policy_spec.rb b/spec/lib/content_security_policy_spec.rb
index c203c850eb4..32a4db46d34 100644
--- a/spec/lib/content_security_policy_spec.rb
+++ b/spec/lib/content_security_policy_spec.rb
@@ -32,6 +32,18 @@ describe ContentSecurityPolicy do
     end
   end
 
+  describe 'upgrade-insecure-requests' do
+    it 'is not included when force_https is off' do
+      SiteSetting.force_https = false
+      expect(parse(policy)['upgrade-insecure-requests']).to eq(nil)
+    end
+
+    it 'is included when force_https is on' do
+      SiteSetting.force_https = true
+      expect(parse(policy)['upgrade-insecure-requests']).to eq([])
+    end
+  end
+
   describe 'worker-src' do
     it 'has expected values' do
       worker_srcs = parse(policy)['worker-src']