Google Chrome redirecting localhost to https

C

35

560

When I debug a Visual Studio project using Chrome the browser tries to redirect to the https equivalent of my web address. I do not have SSL enabled in the web project and the start URL is the http URL. When I debug using FireFox or IE I do not have this problem.

I did re-install Chrome which fixed the problem for a day. Without downloading any addons the problem happened again the next day.

What is making Chrome redirect localhost to https?

Network Inspect Shows: Request URL:data:text/html,chromewebdata Request Headers Provisional headers are shown User-Agent:Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36

No preview and no response data in those tabs.

Criner answered 13/8, 2014 at 3:14 Comment(11)

what is Network Inspector showing ? – Meakem 18/8, 2014 at 14:19

Network inspect doesn't show much at all. I can't even see the URL being requested. Request URL:data:text/html,chromewebdata Request Headers Provisional headers are shown Cache-Control:no-cache Pragma:no-cache User-Agent:Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36 – Criner 22/8, 2014 at 14:54

CHROME 63: keep scrolling for answers – Mucro 7/11, 2017 at 18:39

By just reinstalling my chrome solves all the issues.. now my .dev and not redirecting to https anymore. I wish i would have tried that earlier.. wasted so much time.. – Nation 24/11, 2017 at 13:0

Anyone with this problem recently, if you are trying to use .dev as your local doman, it's a whole new issue so I don't think any of these answers will work anymore. As of Chrome 63... "Chrome to force .dev domains to HTTPS via preloaded HSTS". So no more self-signed SSL certs. Apparently .dev is a real domain. Who knew. – Easy 8/12, 2017 at 11:35

When I upgraded from Chrome 62 to 63 on my mac, I couldn't use .app either. I had to use .test. – Fang 25/12, 2017 at 12:18

But while what I did is changed the domain from .app to .appp it is working fine with the chrome. Can anyone tell me about that – Oviform 15/1, 2018 at 6:6

Was happening to me as well on Chrome 74.0.3729.131. I have several localhost projects. DevTools was not showing much. But did an empty cache/hard reload from right click on refresh with dev tools up, and that allowed me to now type in https. Somewhat related to answer below, but less steps. – Peremptory 15/5, 2019 at 14:14

For those like me who tried anything possible unsuccessfully, have a look to your web server config to check that HTTP requests are not rewrited to HTTPS (htaccess file for instance)... I feel so stupid... – Fodder 16/3, 2021 at 21:57

It's helped me. superuser.com/questions/565409/… – Breechblock 2/8, 2021 at 6:56

The selected answer seems out of date. I was successful at resolving this with https://mcmap.net/q/36018/-google-chrome-redirecting-localhost-to-https -- which is quick and painless – Serb 25/8, 2022 at 14:12

V

960

I believe this is caused by HSTS - see http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security

If you have (developed) any other localhost sites which send a HSTS header ...

e.g. Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

... then depending on the value of max-age, future requests to localhost will be required to be served over HTTPS.

To get around this, I did the following.

In the Chrome address bar type the following:

chrome://net-internals/#hsts
At the very bottom of a page there is QUERY domain textbox - verify that localhost is known to the browser. If it says "Not found" then this is not the answer you are looking for.
If it is, DELETE the localhost domain using the textbox above
Your site should now work using plain old HTTP

This is not a permanent solution, but will at least get it working between projects. If anyone knows how to permanently exclude localhost from the HSTS list please let me know :)

UPDATE - November 2017

Chrome has recently moved this setting to sit under the section

Delete domain security policies

UPDATE - December 2017

If you are using .dev domain see other answers below as Chrome (and others) force HTTPS via preloaded HSTS.

Vanillic answered 18/2, 2015 at 14:56 Comment(13)

I tried to query for "localhost" but it says Not found – Candiecandied 17/3, 2016 at 14:28

you can also try it in another browser, such as IE. – Dumbwaiter 1/2, 2017 at 5:52

For those using Edge, clearing browsing data has the same effect. – Attributive 2/2, 2017 at 10:29

I know this is an old post, but any idea how to resolve if, on querying localhost as per accepted answer, it does return 'not found'? Tried everything in all comments and answers here. – Uncommitted 10/5, 2017 at 15:5

I have the same issue. But this solution does not work. On "chrome://net-internals/#hsts" localhost is not found.... – Unwarrantable 9/6, 2017 at 19:56

This is total garbage by Chrome. How do they expect us to dev locally when they just arbitrarily start forcing you to HTTPS on your freaking localhost? I have used everything just fine for months, I log in one morning and get this crap to deal with. None of these "fixes" are working for me. – Branch 7/12, 2017 at 21:40

If your localhost domain is .dev then I believe this is not working @Branch because as of the recent release of v.63 ... "Chrome to force .dev domains to HTTPS via preloaded HSTS". As such, .dev basically won't work at all anymore unless you have proper signed SSL certificate. No more self signed certificates allowed. More details. – Easy 8/12, 2017 at 11:39

If you're using Laravel valet change your parked working directory TLD by valet domain test – Globular 14/12, 2017 at 21:19

If it helps anyone, I turned off the capturing events and it didn't work for me. I had to go back to the page again with capturing events running in order for it to work. – Lennielenno 23/1, 2018 at 16:31

The "Delete" button does not do anything, as I reported here. After clicking "Delete", when I check the domain in "Query HSTS/PKP domain", it still shows the should-be-deleted information as if I didn't ask it to delete that. – Redeemable 29/3, 2018 at 2:43

Currently it is no longer possible to disable it. I had to install version 78 of Chrome to re-use it. – Latoshalatouche 28/5, 2020 at 15:21

See this answer from @IvanEfremov for a solution which works – Jorgejorgensen 11/9, 2021 at 22:59

This answer works perfectly in 2023 – Thigmotropism 14/1, 2023 at 15:9

C

422

I experienced the same problem in Chrome and I tried unsuccessfully to use BigJump's solution.

I fixed my problem by forcing a hard refresh, as shown in this blog (originally from this SuperUser answer).

Ensure your address bar is using the http scheme and then go through these steps, possibly a couple of times:

Open the Developer Tools panel (CTRL+SHIFT+I)
Click and hold the reload icon / Right click the reload icon.
A menu will open.
Choose the 3rd option from this menu ("Empty Cache and Hard Reload")

Clinical answered 15/10, 2015 at 3:40 Comment(5)

You can also right-click on the refresh/reload icon to get to the Hard Reload menu – Syringe 2/2, 2016 at 16:10

I cannot get this solution to work. The problem is that it does a hard reload on localhost:3000 (in my case). Attempting to change the protocol before the reload but that doesn't work. – Receptacle 30/1, 2017 at 20:16

Worked for me by pressing "CTRL + SHIFT + R" for a hard reload. – Arabella 11/7, 2018 at 14:20

On chromium, it is F12 and not CTRL+SHIFT+I – Garland 25/9, 2018 at 18:22

Also for me this worked, with a slight tweak: I am working on a couple of apps in Django, and one of them was applying a permanent redirect. Doing the hard reload on the old address cleared the cache, but the address was still old (and wrong). But at the second attempt, correcting the address in the address bar made the trick. Thanks! – Madrigalist 6/3, 2019 at 16:8

E

216

NEW DEVELOPMENTS! (if you have Chrome 63+)

If your localhost domain is .dev then I don't think the previously accepted answer works. The reason why is because since Chrome 63, Chrome will force .dev domains to HTTPS via preloaded HSTS.

What this means is, .dev basically won't work at all anymore unless you have proper signed SSL certificate -- no more self signed certificates allowed! Learn more at this blog post.

So to fix this issue now and to avoid this happening again in the future .test is one recommended domain because it is reserved by IETF for testing / dev purposes. You should also be able to use .localhost for local dev.

Easy answered 10/12, 2017 at 22:41 Comment(11)

This was my problem. If local with an Apache virtual host setup, you can try # Add to your VH config: ServerAlias sitename.test ServerAlias www.sitename.test # Add: sitename.test to /etc/hosts # Restart Apache. # Update links if needed – Catlike 13/12, 2017 at 2:37

I changed all .dev domains to .app, still same issue. Any pointers on what the issue might be? – Naker 14/12, 2017 at 18:49

Hmm. You should try using .test or .localhost as suggested. I'm not sure if .app is another of the domains Chrome is force re-directing to HTTPS but as that's a real domain and it's another one owned by Google it's a risk either way and likely the problem. – Easy 14/12, 2017 at 19:1

.localhost didn't work for me either, but .test did. Thanks! – Wool 16/12, 2017 at 17:55

@Naker try using .test – Wool 16/12, 2017 at 17:55

project.test instead of opening project does google search, what can be the cause? – Landlordism 17/12, 2017 at 8:52

@KailashVele google thinks it's a search query. Just put a / at the end of it like project.test/. Google will cache it so you won't have to type that / again after that. – Naker 17/12, 2017 at 18:45

This is EXTREMELY annoying. Surely there must be some way to not force us to change our development domain, right? – Willard 18/12, 2017 at 11:32

replacing .dev by .test worked for me too in Chrome 63 – Interfertile 21/12, 2017 at 6:30

These counter-intuitive defaults are terrible. Why should one lose time debugging their dev environment setup, or just guessing what's going wrong, just to discover that everything is okay their side and it is Google Chrome that redirects .dev to HTTPS by default. Where is the logic. Why .dev and why not other TLD(s)? Absolutely not intuitive. – Mirna 25/12, 2017 at 6:36

@Mirna Because .dev actually exists as a new gTLD and it is owned by Google. – Dorweiler 15/11, 2023 at 0:25

G

101

Piggybacking off Adiyat Mubarak

Could not hard refresh as it was just refreshing on https. Follows some of the same steps.

1. Open chrome developer tools (ctrl + shift + i)
2. Network Tab at the top
3. Click Disable cache checkbox at the top (right under network tab for me).
4. Refresh page (while the developer tools is still open)

Grounder answered 11/4, 2017 at 19:37 Comment(3)

I'm using a .local domain and this worked when the HSTS solution above did not. – Consonance 18/8, 2017 at 18:8

when I did that the first time, it didn't work but I noticed an input on the same tap which is "Network" on the left that contains "domain:127.0.0.1 scheme:https", I just modify it to "domain:127.0.0.1 scheme:HTTP" by removing "s" char from http and has worked – Iconostasis 30/9, 2021 at 2:5

This was the first solution that worked, since every other solution redirected back to the https domain. – Serb 25/8, 2022 at 14:9

D

50

Go to

chrome://net-internals/#hsts

Enter localhost under Delete domain security policies and press the Delete button.

Now go to

chrome://settings/clearBrowserData

tick the box Cached images and files and press click the button Clear data.

Donnettedonni answered 9/3, 2021 at 21:32 Comment(0)

K

49

I am facing the same problem but only in Chrome Canary and searching a solution I've found this post.

one of the next versions of Chrome is going to force all domains ending on .dev (and .foo) to be redirected to HTTPs via a preloaded HTTP Strict Transport Security (HSTS) header.

{ "name": "dev", "include_subdomains": true, "mode": "force-https" },
{ "name": "foo", "include_subdomains": true, "mode": "force-https" },

So, change your domains.

Karykaryl answered 19/9, 2017 at 14:45 Comment(2)

.test is a special reserved tld that should remain safe. – Steapsin 11/12, 2017 at 1:40

09-12-2022: this solution doesn't work. I have tried all the solutions listed on this page. Nothing works. – Melissa 9/12, 2022 at 14:18

R

26

Open Chrome Developer Tools -> go to Network -> select Disable Cache -> reload

Robedechambre answered 9/5, 2020 at 15:12 Comment(2)

But this disable cache for all websites you have in a normal Chrome windows... that's not nice... I was able, later, to clean the cache and enable the cache option again and still seems to work... – Uta 18/2, 2021 at 14:6

This is a clean and simple solution. Thank you. – Bridesmaid 13/1, 2023 at 9:57

G

19

I also have been struggling with this issue. Seems that HSTS is intended for only domain names. So if you are developing in local machine, it much easier to use IP address. So I switched from localhost to 127.0.0.1

Gaona answered 11/12, 2015 at 9:59 Comment(0)

A

18

Chrome 63 (out since December 2017), will force all domains ending on .dev (and .foo) to be redirected to HTTPS via a preloaded HTTP Strict Transport Security (HSTS) header. You can find more information about this here.

Anarchic answered 13/12, 2017 at 6:33 Comment(1)

^^ Ditto. It affected our .app domains in the last week as well. We're temporarily switching to .test although I don't think that's a long-term solution. – Valuer 14/12, 2017 at 19:43

D

17

from https://galaxyinternet.us/google-chrome-redirects-localhost-to-https-fix/

None of the option fixes worked for me, for fixing https://localhost:3000, this did.

click and hold Reload Button and select Empty Cache and Hard Reload, this seems to only be an option on localhost

Duffey answered 27/2, 2018 at 19:32 Comment(2)

Latest Chrome updated so this solution will no longer work. – Duffey 4/12, 2018 at 19:56

This should work on all domains if you have the developer toolbar open – Slapstick 30/8, 2019 at 22:3

T

13

A lazy and fast solution for lazy people like me (working in Chrome 67).

Just launch another Chrome window in Stealth Mode, with the "Incognito Window" option (CTRL + SHIFT + N). No need to delete cache, no need to dive into deep Chrome settings, etc.

Tidewaiter answered 8/8, 2018 at 8:2 Comment(1)

This works, but it makes my AJAX requests extremely slow because of provisional headers. – Varices 2/11, 2018 at 13:48

E

11

How I solved this problem with chrome 79:

Just paste this url in you search input chrome://flags/#allow-insecure-localhost

It helped me by using experimental features.

Emilio answered 23/12, 2019 at 8:36 Comment(0)

C

7

I never figured out the root of the problem however I was able to fix this problem. I deleted the Google Chrome app cache folder which solved the problem.

C:\Users[users]\AppData\Local\Google\Chrome

Criner answered 22/8, 2014 at 19:26 Comment(2)

I believe the issue is that Chrome stores when you visit a domain using HTTPS and then if you ever visit the same domain again it automatically switches to HTTPS. Its a pain in the arse as a developer because once you access any localhost site using HTTPS, suddenly all locahost sites are redirected to HTTPS. – Megdal 22/12, 2014 at 3:41

@DaleBurrell You are not right. This is caused by HSTS: en.wikipedia.org/wiki/HTTP_Strict_Transport_Security – Introvert 19/11, 2016 at 6:9

R

7

This can be caused by a cached https redirect, and can be fixed by clearing the cache manually as in Adiyat Mubarak's answer.

But if you are visiting localhost you likely are a developer, in which case you will find a cache clearing chrome extension such as "classic cache killer" (see e.g. https://chrome.google.com/webstore/search/classic%20cache%20killer?hl=en) useful in a variety of situations, and likely already have one installed.

So the quick fix is: Install a cache killer (if you don't have one already), turn it on, and reload the page. Done!

Rumery answered 8/3, 2018 at 5:38 Comment(0)

Q

5

None of these worked for me. It started happening after a chrome update (Version 63.0.3239.84, linux) with a local URL. Would always redirect to https no matter what. Lost some hours and a lot of patience on this

What did worked after all was just changing the domain.

For what is worth, the domain was .app. Perhaps it got something to do? And just changed it to .test and chrome stopped redirecting it

Quaint answered 8/12, 2017 at 12:57 Comment(0)

F

5

Unfortunately, none of the solution listed here helped me to resolve this issue. I fixed this issue by using http://127.0.0.1 (ip address) instead of http://localhost. A quick little hack to work with angular development with chrome browser.

Floating answered 10/4, 2019 at 22:45 Comment(0)

W

5

A simple solution to this is to edit your /etc/hosts file and establish one alias per project.

127.0.0.1   project1 project2 project3

These domainless names will never have the problem with HSTS unless you send the HSTS response mentioned by @bigjump and with the added benefit of maintaining your login session if you change back and forth between projects.

Wily answered 31/8, 2019 at 13:48 Comment(0)

V

5

Tried everything mentioned (browser preferences, hsts, etc.) but nothing worked for me.

I solved it by adding a trailing .localhost to the host aliases. In my case this file under windows: %windir%\system32\drivers\etc\hosts

Like this:

127.0.0.1    myproject.localhost
127.0.0.1    dev.project.localhost

Volga answered 16/12, 2020 at 14:37 Comment(1)

I'm supposed to avoid making comments like "thanks" but this was driving me crazy for hours and using my-domain.localhost was the only thing that worked. Ta! – Barbiebarbieri 27/3, 2023 at 16:1

A

3

Go to

chrome://net-internals/#hsts

Enter the domain under Delete domain security policies and press the Delete button.

Abomination answered 18/4, 2022 at 12:13 Comment(0)

N

1

In my case, I had my project path set as /Users/me/dev/project_root/ and was running the nodeJS/express server from there. Renaming my path to /Users/me/project_root (removing dev from the path to project) resolved the issue.

Most likely has to do with this new regulation:

Chrome 63 (out since December 2017), will force all domains ending on .dev (and .foo) to be redirected to HTTPS via a preloaded HTTP Strict Transport Security (HSTS) header.

You can find more information about this here.

Using:

Google Chrome Version 70.0.3538.110 (Official Build) (64-bit)
nodeJS v9.2.0

Noletta answered 7/12, 2018 at 19:48 Comment(0)

M

1

None of the other solutions worked for me. As a temporary work around, I go to:

http://127.0.0.1:3000/

(replace 3000 with desired port) And I can at least access my local host that way!

Marylynnmarylynne answered 15/8, 2023 at 11:32 Comment(0)

S

0

Go to settings in Chrome and then to Advanced settings, under privacy and security section click Clear browsing data and then clear all data. I followed these steps and it worked for me. Hope it helps some one.

Scarborough answered 27/12, 2017 at 5:21 Comment(0)

B

0

Chrome 63 forces .dev domains automatic to HTTPS via preloaded HSTS.
Quick fix: just change the .dev domains to .localhost.

Boondoggle answered 8/1, 2018 at 12:1 Comment(0)

F

0

This is not a solution, it's just a workaround.

Click on your visual studio project (top level) in the solution explorer and go to the properties window.
Change SSL Enabled to true. You will now see another port number as 'SSL URL' in the properties window.
Now, when you run your application (or view in browser), you have to manually change the port number to the SSL port number in the address bar.

Now it works fine as a SSL link

Feltonfelts answered 25/1, 2018 at 2:47 Comment(0)

T

0

The issue could be replicated in VS 2019 also. This is caused due to "Enable Javascript debugging from Visual Studio IDE". The VS attaches to Chrome and it is a possibility that due to security or reasons known to Google and Microsoft, it sometimes fails to attach and you have this issue. I am able to run http and https with localhost from ASP net core 3.1 app. So while debugging in VS, go to the run with arrow -> IIS express, just below "Web Browser(Chrome)" select "Script Debugging (Disabled)".

See article: https://devblogs.microsoft.com/aspnet/client-side-debugging-of-asp-net-projects-in-google-chrome/

https://learn.microsoft.com/en-us/visualstudio/debugger/debugging-web-applications?view=vs-2019

Always fallback to Microsoft docs to get more clarity than googling an issue.

Treehopper answered 25/8, 2020 at 22:16 Comment(0)

A

0

For me, the following worked in Chrome 90. My app opened up a local webpack server on localhost:3000 which automatically redirected to HTTPS, and I got ERR_SSL_PROTOCOL_ERROR.

I clicked on the little info icon next to the URL, opened up the Site Settings from the menu dropdown. In the list, the Insecure content was set to Block (default).

I changed this to Allow, and just reloaded the http version and it loaded fine.

Hope this will help people out.

Amberlyamberoid answered 18/5, 2021 at 8:59 Comment(0)

S

0

I could not get any solution to work; but a redirect in my web.config allowed me to continue to work (localhost) until I find what is causing the issue.

This is essentially a rewrite rule that turns HTTPS to HTTP; it seems to have overwritten the previous rule that redirected HTTP to HTTPS.

It needs to be within your <system.webServer> </system.webServer> section in web.config

    <rewrite>
  <rules>
    <clear />
    <rule name="Redirect to https" stopProcessing="true">
      <match url=".*" />
      <conditions>
        <add input="{HTTP}" pattern="off" ignoreCase="true" />
      </conditions>
      <action type="Redirect" url="http://{HTTP_HOST}{REQUEST_URI}" redirectType="Permanent" appendQueryString="false" />
    </rule>
  </rules>
</rewrite>

Segalman answered 8/6, 2021 at 9:48 Comment(0)

G

0

In my case I was using browser-sync on a Mac and the browser kept redirecting http://localhost:3000 to https://localhost:3000.

I am using Valet to serve local sites, and I had run valet secure on the local *.test domain to give it a SSL cert. Because I was proxying this HTTPS domain in browser-sync, the browser was loading localhost:3000 with HTTPS.

To fix it I had to:

run valet unsecure to remove the SSL cert
run valet restart
restart browser-sync
open localhost:3000 in the browser (Vivaldi in my case which is a Chromium browser)
Open Developer Tools
Tick "Disable Cache" on the Network tab
Refresh the page

Goodyear answered 17/7, 2021 at 17:18 Comment(0)

B

0

Turns out this error message was sending me down a rabbit hole.

The problem for me was that the page I was trying to load on http was failing to return a response (due to a bug in my code that was crashing the server).

Chrome was automatically trying https automatically as a backup so, instead of seeing the actual error (page timed out), I was seeing the SSL error which was a red herring.

Fixing the underlying server crash & navigating back to http://localhost:5000 fixed my problem.

Bengaline answered 5/9, 2021 at 15:30 Comment(0)

S

0

If you happen to be working on a Wordpress site, and after trying everything on this page and still the http://127.0.0.1/wp-admin get redirected to https://127.0.0.1/wp-admin. Try this:

Go to wp-config.php and replace

define('WP_HOME','https://example.com');

define('WP_SITEURL','https://example.com');

to

define('WP_HOME','http://127.0.0.1');

define('WP_SITEURL','http://127.0.0.1');

Tested on Chrome and Firefox.

Stickinthemud answered 10/12, 2022 at 14:16 Comment(0)

P

-1

For someone who had the same problem I solved by pressing CTRL + SHIFT + DELETE to delete just the entire browser cache. Now I can access my localhost website on HTTP protocol.

Philosophy answered 25/10, 2017 at 13:3 Comment(0)

D

-1

For anyone running a Node.js express server on localhost like me, I have this piece of code that redirects http to https:

const server = express() 
  .use((req, res, next) => {
    if (req.headers['x-forwarded-proto'] != 'https') {
      res.redirect('https://' + req.headers.host + req.url)
    } else {
      next()
    }
  })

You have to make sure it doesn't redirect localhost:

const server = express() 
  .use((req, res, next) => {
    if (req.headers['x-forwarded-proto'] != 'https' && req.headers['host'].indexOf("localhost") == -1) {
      res.redirect('https://' + req.headers.host + req.url)
    } else {
      next()
    }
  })

Downright answered 30/3, 2022 at 3:44 Comment(0)

S

-2

@Adiyat Mubarak answer did not work for me. When I attempted to clear the cache and hard-reload, the page still redirected to https.

My solution: In the upper right-hand corner of the url bar (just to the left of the favorites star icon) there is an icon with an "x" through it. Right-click on that, and it will say something about "unsafe scripts", then there is an option to load them anyway. Do that.

Superstitious answered 12/1, 2017 at 15:51 Comment(0)

A

-2

Another option would be to use something like https://github.com/rchampourlier/tunnelss

Sure it added another dependency / setup, but it also enables testing of https in dev, which could be nice.

I use RVM however to get tunnelss working I had to use sudo gem install tunnelss and sudo tunnelss

Amphibology answered 14/12, 2017 at 22:59 Comment(0)

D

-4

That's the fastest solution today (17-3-2018):

Close all Chrome tabs / windows and run on your command line this: (or add it as a shortcode)

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --ignore-certificate-errors

Darnelldarner answered 17/3, 2018 at 17:43 Comment(0)

UPDATE - November 2017

UPDATE - December 2017

Recommended topics

Hot tags