426 Upgrade Required
Usage
When the 426 Upgrade Required status code is received, the response includes an Upgrade response header field indicating the required protocol(s).
This message is related to the 101 Switching Protocols message, sent in response to a Protocol-Upgrade request by the client using the Upgrade header.
Example
The client requests a resource over plain HTTP and the server responds with 426 Upgrade Required because TLS is mandatory. The client switches to HTTPS and the request succeeds.
HTTP/2 and HTTP/3
HTTP/2 and HTTP/3 are negotiated through ALPN during the TLS handshake, not through the Upgrade header. The cleartext HTTP/2 upgrade mechanism (h2c) was removed from the specification. The Upgrade header applies to protocol switches such as TLS and WebSocket.
Initial request
GET /tech-news HTTP/1.1
Host: example.com
Initial response
HTTP/1.1 426 Upgrade Required
Upgrade: TLS/1.2
Connection: upgrade
Content-Type: text/html
Content-Length: 140
<html>
<head>
<title>TLS Required</title>
</head>
<body>
<p>This service requires TLS.</p>
</body>
</html>
Subsequent request over HTTPS
GET /tech-news HTTP/1.1
Host: example.com
Response
HTTP/1.1 200 OK
Content-Type: text/html
How to fix
Read the Upgrade header in the response to identify the required protocol. The server lists one or more acceptable protocols such as TLS/1.2, HTTP/2, HTTP/3, or websocket.
For protocol version upgrades, switch the client to the specified protocol and re-send the request. HTTP/2 and HTTP/3 use ALPN during the TLS handshake rather than the Upgrade header. For other protocols like WebSocket, include Connection: upgrade and the matching Upgrade header. The server responds with 101 Switching Protocols and the connection proceeds under the new protocol.
For WebSocket connections through nginx, configure the proxy to forward upgrade headers:
Without these directives, nginx defaults to HTTP/1.0 for upstream connections and strips the upgrade headers, producing 426 on every WebSocket handshake attempt.
When a server enforces HTTPS, change the request URL scheme from http:// to https://. Verify TLS 1.2 or TLS 1.3 is enabled in the client or runtime environment. Older TLS versions are commonly rejected.
Update client libraries and SDKs when they lack support for the required protocol. Outdated HTTP libraries default to HTTP/1.1 and have no HTTP/2 or HTTP/3 negotiation capability.
Remove unnecessary Upgrade headers from requests not intended for protocol switching. Some proxies interpret a stray Upgrade header as a protocol negotiation attempt and return 426.
Code references
.NET
HttpStatusCode.UpgradeRequired
Rust
http::StatusCode::UPGRADE_REQUIRED
Rails
:upgrade_required
Go
http.StatusUpgradeRequired
Symfony
Response::HTTP_UPGRADE_REQUIRED
Python3.5+
http.HTTPStatus.UPGRADE_REQUIRED
Apache HttpComponents Core
org.apache.hc.core5.http.HttpStatus.SC_UPGRADE_REQUIRED
Angular
@angular/common/http/HttpStatusCode.UpgradeRequired