Reputation: 20496
Safari keeps forcing HTTPS on localhost
When I load http://localhost:3000 in Safari, Safari automatically redirects to https://localhost:3000. How can I disable this functionality?
I went into ~/Library/Cookies/HSTS.plist and removed the localhost entry, then restarted Safari but it just re-added it to that plist file and redirected to https.
Any ideas how to fix this so that on localhost I have to explicitly say http or https?
Upvotes: 55
Views: 46841
Answers (7)
Reputation: 2319
This also happens if the Content Security Policy "upgrade-insecure-requests" is set. There is an open issue here: https://github.com/github/secure_headers/issues/348
Upvotes: 17
Reputation: 571
After following the fix by Charlie with no luck, what worked for me was running a private window. and after a restart, everything seemed fine on both private and public tabs.
Upvotes: 2
Reputation: 131
You can try
deleting website data for localhost (Safari > Preferences > Privacy > Manage Website Data...)
After that close browser and try it.
If cannot you can try make different port 80 after back port 80 for localhost
Upvotes: 4
Reputation: 1105
It's possible to use http://127.0.0.1:3000 instead. Or your local computer name.
For example: http://andis-mac-5.local:3000.
You can determine the local computer name from system preferences - Share - Edit:
Upvotes: -3
Reputation: 51063
In Safari 13.0.5, deleting website data for localhost (Safari > Preferences > Privacy > Manage Website Data...) solves the problem.
Upvotes: 31
Reputation: 20496
I was able to solve this based on an answer from Ask Different.
In short, closing Safari, then running the commands below, worked.
sudo killall nsurlstoraged
rm -f ~/Library/Cookies/HSTS.plist
launchctl start /System/Library/LaunchAgents/com.apple.nsurlstoraged.plist
Restarting Safari after running that and trying to go to http://localhost:3000 solved the problem and did not redirect to to https.
Hopefully this helps someone fix this problem.
Upvotes: 76
Reputation: 45905
First of all lets confirm why it is going to HTTPS.
In Developer Tools is it showing a 301 or 302 redirect?
If so it's your web server saying to go to HTTPS. Fix your web server config.
Or is it a 307 redirect which indicates HSTS?
To be perfectly honest I'm not sure if Safari shows this as a 307 (a fake internal redirect to represent HSTS), so it might just go there without showing this, but Chrome does show this.
If so, then deleting that file and restarting should solve that. However can you confirm if the HTTPS site is returning a strict-transport-security HTTP Header? If so then it will just set that next time you happen to go to HTTPS (including if your page loads and image over HTTPS). Can you remove that header? Or better yet, publish it with a max-age of 0 so it removes it from the HSTS browser cache without having to figure out which file it's in or if Safari have moved it from ~/Library/Cookies/HSTS.plist
Upvotes: -7
Related Questions
- How do I stop Firefox from forcing https:// on local development server?
- How do I prevent ALL my browsers (FF, Chrome, Safari and Opera) from redirecting localhost to https?
- Google Chrome redirecting localhost to https
- Firefox redirects localhost to HTTPS
- Safari is forcing HTTPS on everything when I don't want it to
- local site is automatically on https on chrome
- Local virtual hosts show Privacy Error on Chrome due to HSTS
- Safari can't connect to the server "localhost"
- Local Site Defaulting to https
- Safari could not establish secure connection to my localhost