diff --git a/kurl_proxy/assets/welcome.html b/kurl_proxy/assets/welcome.html
index 5ecc7d848e..70d12f4243 100644
--- a/kurl_proxy/assets/welcome.html
+++ b/kurl_proxy/assets/welcome.html
@@ -19,7 +19,7 @@
       .replace(/\/$/, "");
     var httpsLink = "http:" + rawLink;
     var opensslLink = rawLink.substring(2).replace("/", "");
-    var insecureLink = httpsLink + "/insecure";
+    var insecureLink = httpsLink + "/tls-warning";
   </script>
   <body>
     <div class="u-minHeight--full u-width--full flex flex-column flex1">
diff --git a/kurl_proxy/cmd/main.go b/kurl_proxy/cmd/main.go
index 4e7810d75c..ff198be74f 100644
--- a/kurl_proxy/cmd/main.go
+++ b/kurl_proxy/cmd/main.go
@@ -275,11 +275,34 @@ func getHttpServer(fingerprint string, acceptAnonymousUploads bool, assetsDir st
 		}
 
 		appIcon := template.URL(app.Spec.Icon)
-		htmlPage := "welcome.html"
-		if c.Request.URL.Path == "/insecure" {
-			htmlPage = "insecure.html"
+		c.HTML(http.StatusOK, "welcome.html", gin.H{
+			"fingerprintSHA1":   fingerprint,
+			"AppIcon":           appIcon,
+			"AppTitle":          app.Spec.Title,
+			"IsEmbeddedCluster": isEmbeddedCluster(),
+		})
+	})
+	r.GET("/tls-warning", func(c *gin.Context) {
+		if !acceptAnonymousUploads {
+			log.Println("TLS certs already uploaded, redirecting to https")
+			target := url.URL{
+				Scheme:   "https",
+				Host:     c.Request.Host,
+				Path:     c.Request.URL.Path,
+				RawQuery: c.Request.URL.RawQuery,
+			}
+			// Returns StatusFound (302) to avoid browser caching
+			c.Redirect(http.StatusFound, target.String())
+			return
+		}
+
+		app, err := kotsadmApplication()
+
+		if err != nil {
+			log.Printf("No kotsadm application metadata: %v", err) // continue
 		}
-		c.HTML(http.StatusOK, htmlPage, gin.H{
+		appIcon := template.URL(app.Spec.Icon)
+		c.HTML(http.StatusOK, "insecure.html", gin.H{
 			"fingerprintSHA1":   fingerprint,
 			"AppIcon":           appIcon,
 			"AppTitle":          app.Spec.Title,