prefer-https

June 10, 2026 Β· View on GitHub

πŸ“ Prefer HTTPS over HTTP.

πŸ’ΌπŸš« This rule is enabled in the βœ… recommended config. This rule is disabled in the β˜‘οΈ unopinionated config.

πŸ”§ This rule is automatically fixable by the --fix CLI option.

Using HTTPS avoids sending URLs to public resources over an insecure protocol.

This rule checks source text, including strings, template literals, JSX, comments, and non-JavaScript files when they are linted with ESLint language plugins such as @eslint/css, @eslint/json, @eslint/markdown, and html-eslint.

URLs without a public-looking top-level domain are ignored. For example, http://localhost, http://example, and http://127.0.0.1 are allowed.

Well-known XML namespace URIs are also ignored. These are opaque identifiers that happen to use the http: scheme (for example, SVG's http://www.w3.org/2000/svg); rewriting them to https: would break XML and DOM parsing.

Examples

// ❌
const url = 'http://sindresorhus.com';

// βœ…
const url = 'https://sindresorhus.com';
// ❌
// See http://sindresorhus.com

// βœ…
// See https://sindresorhus.com
// ❌
const element = <a href="http://sindresorhus.com">http://sindresorhus.com</a>;

// βœ…
const element = <a href="https://sindresorhus.com">https://sindresorhus.com</a>;