diff --git a/.changeset/hip-trees-heal.md b/.changeset/hip-trees-heal.md
new file mode 100644
index 0000000000..2fc9633b98
--- /dev/null
+++ b/.changeset/hip-trees-heal.md
@@ -0,0 +1,13 @@
+---
+'@backstage/backend-common': patch
+---
+
+Omit the `upgrade-insecure-requests` Content-Security-Policy directive by default, to prevent automatic HTTPS request upgrading for HTTP-deployed Backstage sites.
+
+If you previously disable this using `false` in your `app-config.yaml`, this line is no longer necessary:
+
+```diff
+backend:
+  csp:
+-    upgrade-insecure-requests: false
+```
diff --git a/app-config.yaml b/app-config.yaml
index 9874ce37ac..f9dd479e0e 100644
--- a/app-config.yaml
+++ b/app-config.yaml
@@ -37,6 +37,8 @@ backend:
     credentials: true
   csp:
     connect-src: ["'self'", 'http:', 'https:']
+    # Other Content-Security-Policy directives can be added according to the Helmet format:
+    # https://helmetjs.github.io/#reference
   reading:
     allow:
       - host: example.com
diff --git a/contrib/docs/tutorials/help-im-behind-a-corporate-proxy.md b/contrib/docs/tutorials/help-im-behind-a-corporate-proxy.md
index bee0a84fe6..841e13dd8b 100644
--- a/contrib/docs/tutorials/help-im-behind-a-corporate-proxy.md
+++ b/contrib/docs/tutorials/help-im-behind-a-corporate-proxy.md
@@ -80,6 +80,4 @@ backend:
     origin: https://your-public-url.com:3000
 ```
 
-If the protocol is `http`, you will need to set `backend.csp.upgrade-insecure-requests` to `false` as well.
-
 The app port must proxy web socket connections in order to make hot reloading work.
diff --git a/packages/backend-common/src/service/lib/ServiceBuilderImpl.ts b/packages/backend-common/src/service/lib/ServiceBuilderImpl.ts
index c17545779a..45eba03157 100644
--- a/packages/backend-common/src/service/lib/ServiceBuilderImpl.ts
+++ b/packages/backend-common/src/service/lib/ServiceBuilderImpl.ts
@@ -55,7 +55,6 @@ const DEFAULT_CSP = {
   'script-src': ["'self'", "'unsafe-eval'"],
   'script-src-attr': ["'none'"],
   'style-src': ["'self'", 'https:', "'unsafe-inline'"],
-  'upgrade-insecure-requests': [] as string[],
 };
 
 export class ServiceBuilderImpl implements ServiceBuilder {