You may not know this little fact: certain browser features require HTTPS to work. Features like getting a user’s location, accessing their microphone, or storing data locally on their device, all require that your website supports HTTPS.

We often talk about the benefits to the user experience and website reputation by adopting HTTPS, but being able to develop a website with modern capabilities may be an even more compelling reason.

There are currently 10 features that require HTTPS in at least one major browser—including HTTP/2 and Brotli compression (both groundbreaking improvements in web technologies)— and plans to restrict three existing features to HTTPS sometime in the future.

We are going to briefly cover the background of HTTPS-only features and then the list of current and future features that require a secure connection.

The Importance of Secure Contexts

Google initially proposed restricting certain features to HTTPS in 2014. They realized that websites were starting to offer comparable experiences to native apps with browser features, such as webcam support and the local data storage. This was good news for rich web apps, but it posed a security risk if those features could be tampered with by a man-in-the-middle or other network interference or impersonation.

Imagine a user connects to your site and someone else on the network can piggyback on your access to their webcam or microphone and eavesdrop. Or worse, that network attacker entirely fabricates a request to access their webcam with an HTTP injection.

Since Google’s initial concept, their proposal has evolved into “Secure Contexts,” a W3C draft that hopes to become the internet standard for defining secure access to these advanced browser features.

Despite Secure Contexts being drafted, new features and standards have already been designed to require HTTPS from their inception—the biggest being HTTP/2. All major browsers require websites use HTTPS with HTTP/2, meaning you have absolutely no access to the newest version of the internet’s core protocol if you’re still serving unencrypted HTTP.

Other major standards like Brotli, a compression algorithm that offers better performance than gzip, and Google’s AMP, were also designed around HTTPS support.

You’ve likely heard some news recently about web browser initiatives around HTTPS. The increasing number of features, standards, and APIs that require HTTPS is yet another indicator of browsers’ strong interest in spurring adoption and the HTTPS-only future of the internet.

It can be hard to keep track of which features require HTTPS and how that affects specific browsers. This table summarizes all this information—including existing features that are planned to become HTTPS-only. Even if you don’t use these features on your website, this should serve as an eye-opener for just how serious major browsers like Chrome and Firefox are about HTTPS.

When a feature is HTTPS-only in a browser we list the version number with a link to documentation of the change. If a feature is not supported at all, or allowed over HTTP, we note that and any possible plans to restrict that feature in the future. This list will be updated as new announcements are made by browsers.

Secure-Origin-Only Features & Standards

Upcoming Changes

These features and standards are still available over HTTP—for now. Browsers or standards groups (like the W3C or IETF) have expressed interest in requiring HTTPS for these in the future.