In addition to cached redirects, HTTP Strict Transport Security (aka HSTS) may be at play. HSTS is a security feature that forces the browser to use HTTPS even when accessing an HTTP URL.
The browser will start using HSTS for a domain after receiving a Strict-Transport-Security header from the server. The browser also ships with a list of domains for which HSTS is enabled by default.
In Chrome, there is a way to delete your domain from HSTS after it was added by the server. Though, you can’t exclude domains that are baked in the browser (this includes popular websites and notably everything under the new .dev TLD)
Go to
chrome://net-internals/#hsts. Enter example.com under Delete domain security policies and press the Delete button.Now go to
chrome://settings/clearBrowserData, tick the box Cached images and files and press click the button Clear data.
19
-
3
This helped me as well!!! While developing internally and having the same problem of the redirect!
Jul 12, 2015 at 3:11
-
5
Man, this had been bugging me for ages, finally got it, thanks! A potential gotcha of note: If the domain you're having trouble with is a subdomain you may need to delete the primary domain from the HSTS set if "include subdomains for STS is set to true". If you run a query on the parent domain you should see if that's set or not for the domain in question.
Jan 6, 2016 at 17:40
-
24
-
2
This is now found under the Domain Security Policy menu item on the left of the page
Nov 6, 2017 at 17:14
-
20
Since 63.0.3239.132 this does nothing. The rule seems to be disregarded and even custom domains that link to localhost is now redirected to https. Annoying factor to have to use self-signed certificates for everything...
Jan 5, 2018 at 8:59
| Show 14 more comments
My problem came from having a .dev domain, which was apparently recently registered as a gTLD and put in a commit to Chrome Canary. I found this out from a recent post I came across as I searched for my problem.
If you have the same problem I do, it appears that the best solution is to change your domain to be something other than .dev. The article suggested .test with a potential solution of .localhost later down the road (via this proposal).
answered Sep 18, 2017 at 16:21
Louie BertoncinLouie Bertoncin
2,67111 gold badge88 silver badges55 bronze badges
19
-
50
This was the issue for me as well. On my local development machine I utilized .dev for almost 10 years now. I did a recent Google Chrome update and it started redirecting all of my sites to https for no reason I could understand. Would have never thought it had to do with the .dev, then I came across this answer and changed it to .development and all works well again ... For now :-) . Thanks again!
Dec 8, 2017 at 20:04
-
22
Perfect! I don't understand why Chrome will do something like that, it's very annoying as I have nearly 30 .dev domains in my local. Hope it's a very, very good reason.
Dec 11, 2017 at 9:00
-
4
I have wordpress installed, changing its domain might be a real headache. same for the main directory name ect. is there any other way around?
Dec 11, 2017 at 16:26
-
9
It's because Google bought
.devand presumably will start making public sites using it.Dec 11, 2017 at 18:41
-
22
FML… I almost gave up on my 10+ year web dev career because of this. #starbucksbarista
Dec 13, 2017 at 22:34
| Show 14 more comments
To delete domain under "HSTS" menu in chrome://net-internals is a temporary solution.After visiting this domain over HTTPS it will be included in HSTS list again.
Basicaly, to solve this issue it is necessary to disable HTTP Strict Transport Security on the web-server 3rdrevolution.com (IIS, Apache, nginx,...).For nginx edit its HTTPS section in nginx.conf and set 'max-age=0' for Strict-transport-Security:
server {#... ssl on;#... add_header Strict-Transport-Security "max-age=0;";#...}More info: HTTP Strict Transport Security (HSTS)
3
-
-
for me the server did not issue a HSTS header so this is not a solution. From what I can tell, chrome recorded when I accidentally visited it with https and created an internal HSTS record that then mysteriously redirected me to https everytime. Fix was to use the delete HSTS record in chrome:net-internals. Had a handy checker in there as well.
–rob
May 15, 2017 at 13:53
-
2
To delete HSTS record is a temporary solution. You will get this record in chrome again and again after visit https untill server send "max-age=0".
May 16, 2017 at 17:46
Add a comment |
https://www.3rdrevolution.com sends the Strict-Transport-Security header so accessing it over https once will make browsers like Chrome/Firefox redirect http requests to https until some specified point in the future.
As the other answer said, the only way to stop this once it starts is to clear the browser cache (or wait for the browser to expire the order).
Add a comment |
There could be a couple of reasons for this, including plugins but assuming that you do not have any plugins installed you can do the following:
Goto Settings/Privacy/Clear Browsing Data...
Select The Beginning of Time in the pull down.
Select:
- Clear saved Autofill form data
- Delete cookies and other site and plug-in data
- Empty the cache
Select Clear Browsing Data
This should take care of it doing any Auto-fill based on your previous browsing. Also, it will remove any of the cookies that could also be causing problems.
4
-
The problem for me was the cache. I was able to go to my http site fine in firefox and a chrome incognito window. There were no cookies for the site.
Aug 29, 2016 at 14:40
-
1
This also worked for me where the HSTS did not. I only had to check the "Images and Files" checkbox.
Mar 1, 2017 at 16:16
-
-
Add a comment |
From https://galaxyinternet.us/google-chrome-redirects-localhost-to-https-fix/
None of the option fixes worked for me, for fixing https://localhost:3000, this did.
Click and hold reload button and select “Empty Cache and Hard Reload,” this seems to only be an option on localhost.
51.7k1818 gold badges162162 silver badges205205 bronze badges
1
-
4
To make this work on Chrome
Version 77.0.3865.90 (Official Build) (64-bit)(MacOS), I had to do this [1] (after opening problematic page) Right click anywhere and click onInspect[2] After the inspect frame appears, click and hold onreloadbutton [3] in the drop-down that appears, click onEmpty Cache and Hard reloadSep 27, 2019 at 7:55
Add a comment |
If you are facing the problem on a subdomain then this line in Nginx might cause a problem even if the subdomain is in another server, as the browser will cache this information.
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";so remove the includeSubdomains; of it to make it work.
1
Add a comment |
A less drastic alternative than clearing all cookies ever is Settings>Show advanced settings>Content Settings>All Cookies and site data then search for the sites in question and clear cookies for only those.
2
Before few days I accidentally turned on Chrome options named:
- Automatically send some system information and page content to Google to help detect dangerous apps and sites
- Protect you and your device from dangerous sites
And now the main problem was that our website on subdomain always redirect from http:// to https:// and browser gave me an error:
"Your connection is not private. Attackers might be trying to steal your information from censored.censored.com (for example, passwords, messages, or credit cards). NET::ERR_CERT_COMMON_NAME_INVALID"
Open chrome://settings/privacy and turn previously named chrome options that automatically protect your devices. Hope this will help someone.
1
Add a comment |
in Chrome 66, lots have changed in the Settings tab
you can just go to chrome://settings/resetProfileSettings?origin=userclick then hit reset.
this worked for me.
1
-
5
Add a comment |
Not the answer you're looking for? Browse other questions tagged
Not the answer you're looking for? Browse other questions tagged
