diff --git a/components/esp_https_ota/Kconfig b/components/esp_https_ota/Kconfig
index 66592d97..946fc9e4 100644
--- a/components/esp_https_ota/Kconfig
+++ b/components/esp_https_ota/Kconfig
@@ -9,4 +9,13 @@ config OTA_BUF_SIZE
         This buffer size depends on CONFIG_HTTP_BUF_SIZE. If you want to enlarge ota buffer size, please also enlarge CONFIG_HTTP_BUF_SIZE.
         OTA_BUF_SIZE equals to 1460 can save 40% upgrade time in contrast to OTA_BUF_SIZE which equals to 256. 
 
+config OTA_ALLOW_HTTP
+    bool "Allow HTTP for OTA (WARNING: ONLY FOR TESTING PURPOSE, READ HELP)"
+    default n
+    help
+        It is highly recommended to keep HTTPS (along with server certificate validation) enabled.
+        Enabling this option comes with potential risk of:
+        - Non-encrypted communication channel with server
+        - Accepting firmware upgrade image from server with fake identity
+
 endmenu
diff --git a/components/esp_https_ota/src/esp_https_ota.c b/components/esp_https_ota/src/esp_https_ota.c
index 2f04d9b7..d326c2be 100644
--- a/components/esp_https_ota/src/esp_https_ota.c
+++ b/components/esp_https_ota/src/esp_https_ota.c
@@ -36,10 +36,12 @@ esp_err_t esp_https_ota(const esp_http_client_config_t *config)
         return ESP_ERR_INVALID_ARG;
     }
 
+#if !CONFIG_OTA_ALLOW_HTTP
     if (!config->cert_pem) {
         ESP_LOGE(TAG, "Server certificate not found in esp_http_client config");
         return ESP_FAIL;
     }
+#endif
 
     esp_http_client_handle_t client = esp_http_client_init(config);
     if (client == NULL) {
@@ -47,10 +49,12 @@ esp_err_t esp_https_ota(const esp_http_client_config_t *config)
         return ESP_FAIL;
     }
 
+#if !CONFIG_OTA_ALLOW_HTTP
     if (esp_http_client_get_transport_type(client) != HTTP_TRANSPORT_OVER_SSL) {
         ESP_LOGE(TAG, "Transport is not over HTTPS");
         return ESP_FAIL;
     }
+#endif
 
     esp_err_t err = esp_http_client_open(client, 0);
     if (err != ESP_OK) {