diff --git a/src/agent.rs b/src/agent.rs
index 9728c7e..6add8eb 100644
--- a/src/agent.rs
+++ b/src/agent.rs
@@ -20,14 +20,16 @@ use {
 ///
 /// `Never` is the default strategy and never preserves `authorization` header in redirects.
 /// `SameHost` send the authorization header in redirects only if the host of the redirect is
-/// the same of the previous request, and both use the `https` scheme.
+/// the same of the previous request, and both use the same scheme (or switch to a more secure one, i.e
+/// we can redirect from `http` to `https`, but not the reverse).
 #[derive(Debug, Clone, PartialEq, Eq)]
 #[non_exhaustive]
 pub enum RedirectAuthHeaders {
     /// Never preserve the `authorization` header on redirect. This is the default.
     Never,
-    /// Preserve the `authorization` header when the redirect is to the same host. Must
-    /// be under the `https` scheme (though port can differ).
+    /// Preserve the `authorization` header when the redirect is to the same host. Both hosts must use
+    /// the same scheme (or switch to a more secure one, i.e we can redirect from `http` to `https`,
+    /// but not the reverse).
     SameHost,
 }
 
diff --git a/src/unit.rs b/src/unit.rs
index d06e183..bb2c9d5 100644
--- a/src/unit.rs
+++ b/src/unit.rs
@@ -383,7 +383,10 @@ fn can_propagate_authorization_on_redirect(
             let prev_host = prev_url.host_str();
             let prev_is_https = scheme_is_https(prev_url);
 
-            host == prev_host && prev_is_https && is_https
+            let same_scheme_or_more_secure =
+                is_https == prev_is_https || (!prev_is_https && is_https);
+
+            host == prev_host && same_scheme_or_more_secure
         }
     }
 }