Firefox redirects to https

Question

I'm using Firefox, and while setting up a server, I have been fiddling around with redirects. Now, Firefox has cached a 301 redirect from http://example.com/ to https://example.com/ and from http://sub.example.com/ to https://sub.example.com/.

I've tried the following things:

History -> Show all history -> Forget about this site.
Checked that no bookmark with https://example.com/ is present.
Changing browser.urlbar.autoFill to false in about:config.
Changing browser.cache.check_doc_frequency from 3 to 1.
Options -> Advanced -> Network -> Chached Web Content -> Clear now.

None of the above works, so I checked the redirect with wheregoes.com and it doesn't show any redirect from http to https. I've even changed the DNS to point to another IP served by a server, where I've never set up redirection - the redirection is still in effect.

I've also tried in Private Browsing in Firefox, and there is no redirect there. I've tried in Google Chrome, and there is also no redirect here.

I've also tried to make a redirect from https to http which worked in Google Chrome, and yielded a redirection error in Firefox.

My version of Firefox is 38.0.1, and I'm using Windows 8.1. I use the following addons: AddBlock, Avast! and LastPass. Avast! may not be the issue, as I've disabled it while testing.

What I can do about it?

I faced the same issue last few days in my local development but I founded some reference bellow Chrome & Firefox now force .dev domains to HTTPS via preloaded HSTS Please read this info. - https://ma.ttias.be/chrome-force-dev-domains-https-via-preloaded-hsts/ - https://medium.engineering/use-a-dev-domain-not-anymore-95219778e6fd For the future development I would suggest you should use .local or .localhost to avoid this issue happen again :) — Sophy, Mar 27 '18 at 05:52
This works in Chrome: https://stackoverflow.com/a/28586593/1069083 — rubo77, Apr 30 '19 at 09:31
This worked for me https://stackoverflow.com/a/65325368/10944219 — tom, Dec 16 '20 at 14:38
I'll add here a note that might be useful to someone: my simpler scenario is I was testing an EC2 instance with `httpd` on it configured for port 80. `http://1.2.3.4/` kept being "converted" to `https://1.2.3.4`. The problema was tha thte `httpd` server was _not responding_ due to misconfiguration, so Firefox was automatically trying the `https` protocol Once I fixed `httpd`, Firefox stopped "converting". — Marcello Romani, Jan 11 '21 at 10:47
Related: [Clear 301-redirect cache in Firefox @ Super User](https://superuser.com/q/467999/84807) — Melebius, Apr 30 '21 at 04:46

score 267 · Accepted Answer · edited Feb 19 '21 at 16:15

267

"Sites preferences" are the culprit. Wasted 45min of my life finding how to fix it despite all the kb/support.mozilla tricks which does not solve your issue nor did mine. I don't know what triggers this issue, but several of my websites started to go pear-shaped in a few weeks only affecting me and only firefox.

That's the solution you are all looking for:

Go to Preferences
Privacy
Click 'Clear your history' (nothing will happen yet, click safely)
Once the pop-up appears, click Details.
Untick everything except 'Sites Preferences'
Select 'Everything' in the select box at the top
Click Ok
Try now

PS: What I did try that did not worked for me are:

urlbar.autofill false
Forget Website trick
Safe mode
We all know it is not an HSTS issue when a website you own and you accessed before never got https support but now FF wants you to use https... It is just a firefox bug IMO.

edited Feb 19 '21 at 16:15

peterh

11,875
18
85
108

answered Dec 02 '15 at 01:52

Thomas

3,119
2
16
22

1

Thanks. Since I asked the question, I've found out it is definitely a consequence of STS. Your solution seems to work, so I will accept it as an answer. I'm sure, I tried your trick back nine months ago, where I faced the problem - so aybe it was a bug that they fixed. – talouv Dec 03 '15 at 18:38
By "STS" do you mean HSTS? – Flimm Feb 22 '16 at 13:25
Flimm, Yes, I meant HSTS. HTTP Strict Transport Security (HSTS). I amended my answer to fix the typo – Thomas Mar 15 '16 at 04:54
13

Now, in FF 49, It's the link *clear your recent history*, see [screenshot](https://support.cdn.mozilla.net/media/uploads/gallery/images/2016-08-06-02-34-23-1b2694.png) found at [Settings for privacy, browsing history and do-not-track | Firefox Help](https://support.mozilla.org/en-US/kb/settings-privacy-browsing-history-do-not-track) – Wolf Nov 17 '16 at 12:20
18

Ticking *Cache* in Clear history details helped me. – cakan Feb 01 '17 at 20:34
Just needed to clear site preferences and everything worked fine – Neri Feb 28 '17 at 07:31
Thanks, I have this problem with developing and using single sso on https, nothing worked, but this worked perfectly, I can again use firefox for development – anquegi Mar 15 '18 at 14:25
Years later ... this did not work for me, unfortunately. Same issue in Chrome and Edge – Ralf May 25 '18 at 16:19
1

@Ralf : if it fails in Chrome and Edge then it is not a firefox problem, it's a server issue (or proxy or any active network device interfering with the HTTP protocol) – Thomas May 28 '18 at 01:27
4

Clear all data in FF 60 doesn't helped me. And For sure it isn't a server issue (i checked it with wireshark and there is only connections on port 443 :() – Maypeur May 28 '18 at 14:41
@Thomas: none of those, actually. Somewhat embarassing, it was a setting in the CMS config that made it forward to https – Ralf Jun 01 '18 at 10:18
In German it is "Einstellungen"->Chronik->"Webseite-Einstellungen" – rubo77 Apr 30 '19 at 09:28
I can confirm - the deletion if the Site Preferences worked here. Of course this only makes sense, if HSTS is not active for that specific site. – elbartus Apr 30 '20 at 12:13
It doesn't work for me. I set the 'browser.autofill' preference to 'false,' and saved the page. I loaded the standard preferences page ([cmd] + [,]) and cleared the 'browsing and download' history, the 'Site Preferences Data,'' and the 'Offline Website Data.'' I even cleared the cookies, site data, and cache. No joy. I switched to Safari where the problem does not exist. Firefox 86.0 (64-bit) MacOS Big Sur v. 11.2.2 – alxfyv Mar 01 '21 at 07:24

score 164 · Answer 2 · edited May 22 '22 at 19:34

164

The solution that worked for me:

Go to about:config
Look for network.stricttransportsecurity.preloadlist and set it to false
Enjoy

If the above STILL DOES NOT WORK, try setting browser.fixup.fallback-to-https to false from about:config

Using Firefox 100 or above you may also need:

dom.security.https_first to false
dom.security.https_first_pbm to false (this one is for anonymous windows)

edited May 22 '22 at 19:34

xonya

2,146
29
37

answered Feb 06 '19 at 17:42

JorgeObregon

3,020
1
12
12

5

This was the setting that I was looking for. Worked for me. I had urlbar.autofill set to false (did not work). I had accessibility.autoblockrefresh set to true (did not work). But this network.stricttransportsecurity.preloadlist worked for me. Firefox v 67.0.4 – John Greene Jul 06 '19 at 16:27
6

This does not work. Even when combined with the accepted answer -- that is, I did both, then closed and re-opened browser -- Firefox still redirects to https. Infuriating. – arnoldbird Apr 03 '20 at 13:37
17

For me this didn't work so I set the `browser.fixup.fallback-to-https` to `false` – Muhammad Sep 09 '20 at 13:05
This worked for me in Firefox 94. – John Freeman Dec 02 '21 at 20:36
For people who dismissed this solution early on (like me) because the domain is an internal domain - HSTS might apply to subdomains! Your organization might configured HSTS on their main domain as well as *any* subdomains. – Ryan Apr 03 '22 at 21:20
This is the only thing that worked for me. Thanks! – mXaln May 11 '22 at 14:55
If none of these work try [Hank Adler's answer](https://stackoverflow.com/a/71603939/1124565) below regarding DNS over HTTPS – amura.cxg Sep 28 '22 at 20:36
1

`browser.fixup.fallback-to-https` also work for me. Example: **http://somedomain** if this domain is not exists or unable to connect then it won't go to **httpS://somedomain** anymore. – vee Mar 27 '23 at 07:43

E_D · Answer 3 · 2018-03-21T11:21:25.980

40

I had the same problem but the answer was that I used a .dev extension to access my local websites !

I cleared all historic data in FF and nothing changed.

Searching for another solution, I found this page https://ma.ttias.be/chrome-force-dev-domains-https-via-preloaded-hsts/

With .dev being an official gTLD, we're most likely better of changing our preferred local development suffix from .dev to something else. If you're looking for a quick "search and replace" alternative for existing setups, consider the .test gTLD, which is a reserved name by IETF for testing (or development) purposes.

I changed my local website extensions from .dev to .test and all work perfectly !

edited Mar 21 '18 at 11:21

answered Mar 19 '18 at 14:39

E_D

531
4
6

Thanks! Changing my local URLs from .com to .test worked for me. – arnoldbird Apr 03 '20 at 13:43
If you're stuck with `.dev`, you can [prevent Firefox from forcing HTTPS with a configuration change](https://tutoref.com/how-to-prevent-firefox-and-chrome-from-forcing-dev-and-foo-domains-to-use-https/). – colan Sep 07 '21 at 15:08

score 23 · Answer 4 · answered May 03 '20 at 11:55

23

Alternative solution, easy.

Open Firefox and in the address bar type this URL

http://example.com/?fake_parameter_to_bypass_cache

This should force the browser to reload the web page from http://

answered May 03 '20 at 11:55

Massimo

3,171
3
28
41

3

LOL, it worked for me. I haven't cleared the cache yet. Now that I've realized this, next step is to clear browser cache. – yanntinoco May 20 '20 at 20:21
i don't want to clear my caches/history, and both configs were already false, so I tried this one and it worked – caduceus Mar 02 '22 at 12:43
Not worked for me firefox 88.0 – MosQuan Jul 28 '22 at 22:03

score 19 · Answer 5 · answered Oct 17 '20 at 23:46

19

None of the answers worked for me, the only the one was the one in the comment of Muhammad so thanks in advance to him, I copy the answer here to make it easier:

Go to about:config
Look for browser.fixup.fallback-to-https and set it to false

answered Oct 17 '20 at 23:46

Rodrigo

394
4
7

2

This was the only thing that worked for me. I had no HSTS entries in my profile, and wasn't prepared to disable HSTS altogether. Turns out this was it for some reason - feels like a bug in FF though, as this setting is supposed to just try HTTPS _after_ trying HTTP if you can't connect to a site. – Tom Jardine-McNamara Oct 20 '20 at 11:52
definitely a lot of wrong answers, but this one worked flawlessly. thank you – CasaCoding Oct 02 '22 at 04:38
Didn't work for me (Firefox 109.0.1). – Esn024 Feb 14 '23 at 05:27

score 18 · Answer 6 · answered Jun 11 '20 at 18:52

18

Check your extensions!

In my case, DuckDuckGo Privacy Essentials extension was causing this redirect. I disabled it, and the problem is solved.

answered Jun 11 '20 at 18:52

026

379
3
5

5

That is super insensitive of Privacy Essentials. I type http, not https. I was suspecting HTTPS Everywhere I forgot about this. Thanks – Default Sep 08 '20 at 04:19
An easy-ish way to try this is to open a private window. It disables all extensions. I assume it also does some other things that could also fix it, so probably not a perfect test. – Chris Dec 17 '21 at 17:14

score 4 · Answer 7 · answered Jan 06 '21 at 18:21

4

Now (Firefox 84) it is much simpler to clear the site's data. Just click the padlock icon on the left of the address bar. Then choose "Clear cookies and site data". I had the same situation as what OP did. It helped me to clear the HTTPS redirect.

answered Jan 06 '21 at 18:21

Marecky

1,924
2
25
39

Out of all the other solutions on this page, this is the ONLY one that worked for me. Thank you for saving what little is left of my hair from pulling it out over this one. /g – TheIcemanCometh Feb 22 '23 at 17:07

x-yuri · Answer 8 · 2022-07-22T23:38:14.293

3

In my case, I decided to use a *.dev domain for local development. But then I tried to open the site in Firefox, and after a while I realized it uses HTTPS, even when I start the url with "http://..." I tried to right-click on the link in the History, and choose Forget About This Site, or clear the cache. But it didn't help.

Later I found out that the dev domain is in HSTS preload list these days. Which means Firefox and Chrome (and probably others) don't let you access the subdomains w/o HTTPS. More on it here and here.

edited Jul 22 '22 at 23:38

answered Aug 20 '20 at 23:22

x-yuri

16,722
15
114
161

1

You mean "...don't let you access the subdomains *without* HTTPS" – volkerk Jul 22 '22 at 15:58
Thanks a lot. Changing `*.dev` to `*.local` resolved my issue. – Mikhail Shcheglov Apr 03 '23 at 08:02

score 3 · Answer 9 · answered Mar 24 '22 at 14:05

3

Here's what worked for me on Firefox v98.0.2:

Settings -> General
Network Settings -> Settings
Uncheck "Enable DNS over HTTPS

answered Mar 24 '22 at 14:05

score 2 · Answer 10 · answered Nov 24 '20 at 22:55

I tried the 'correct' answer, plus the comment about including cache in the deletion, and I was still having issues with my problem site.

I opened the firefox profile directory and searched for the website name in all files.

I found it in 'logins-backup.json' and deleted that file to finally fix the problem.

score 2 · Answer 11 · answered Jun 16 '23 at 09:40

In newer versions of Firefox (tested 2023):

Open the developer tools with F12 and select "network"
Activate "disable cache"
Set the http:// URL that you don't want redirected to https:// in the URL bar and press enter. It will load without redirection.
Deactivate "disable cache" to leave it as it was before.
Try reloading. It'll work correctly.

This allows you to treat the case a) specifically for one single URL and b) not leaving settings changed with respect before.

Just solves the problematic URL reverting it to the proper caching state.

score 1 · Answer 12 · answered Dec 05 '22 at 09:47

Lets get back to the old firefox that was amazing, the 3.6. Nowadays is full of crap for us developers, and sysadmins. I have tons of sites in intranet that cannot have a valid ssl, this is a major deal. I cannot download "deb" files because its a threat, i cannot this and cannot that... why? I am a power user i know what to do whit, why should I (we) be treated like the rest of the users?

The cache, i cannot disable the cache to 100% why?

In a blip of a second i will be using links as my browser.

Firefox should have a expert mode, where none of this crap happens.

I am mad with firefox and chrome. That is why i still use firefox 3.6 in a lot of cases, to bypass stupid restrictions.

score 0 · Answer 13 · answered Nov 12 '20 at 09:22

0

In my case, it was an addon that did it: disabling DuckDuckGo privacy essentials fixed it.

answered Nov 12 '20 at 09:22

Enno

1,736
17
32

score 0 · Answer 14 · answered Jan 28 '21 at 11:15

I had this issue when running Firefox with OWASP ZAP proxy. I didn't knew it was the proxy causing this. In hindsight it's easy to test this: run Firefox without OWASP ZAP proxy to see if it works. To get it working with OWASP ZAP, turn off Heads Up Display (HUD) or enable the HUD only for URL's that are in scope.

score 0 · Answer 15 · answered Sep 30 '21 at 19:19

0

My problem was caused by the HTTPS by default extension. There is a bug that opens HTTP bookmarks with HTTPS. To work around, open "HTTPS by default" Preferences pane and enter domain name exclusion.

answered Sep 30 '21 at 19:19

Les Grieve

708
8
10

score 0 · Answer 16 · edited Jun 14 '22 at 15:24

None of these suggestions worked for me in Firefox v101. What worked for me is changing the value of security.tls.version.min from 3 to 1 in about:config.

[NOTE: After I changed this setting, Firefox initially redirected from http to https. But this time Firefox allowed me to "accept the risk and continue," which wasn't possible when security.tls.version.min was set to 3. --end note]

See also: https://support.mozilla.org/en-US/questions/1116550

score -3 · Answer 17 · answered Dec 07 '20 at 23:00

Now, I had this issue on my workstation's development site. I had an old site that I still wanted to reference, and I couldn't get http to work for anything. There was not https binding, either.

Finally, I realized I had a url-rewrite in my webconfig that redirected all http to https...

hahahaha

score -4 · Answer 18 · edited Jun 02 '15 at 14:56

-4

Disabling https, is not an absolute in Firefox. Some sites will redirect and may not offer http.

However to choose one url over the other if it is an option you can disable autofil:

Address Bar Search In order to change your Firefox Configuration please do the following steps :

In the Location bar, type about:config and press Enter. The about:config "This might void your warranty!" warning page may appear. Click I'll be careful, I promise! to continue to the about:config page. In the filter box, type or paste autofill and pause while the list is filtered Double-click browser.urlbar.autoFill to toggle it from true to false.

edited Jun 02 '15 at 14:56

NathanOliver

171,901
28
288
402

answered Jun 02 '15 at 00:52

1

Thanks for your reply. Unfortunately as I mentioned in the question, I've already tried what you describe. Besides, I own the server and the domain, so I know it serves http requests without redirect. – talouv Jun 07 '15 at 07:48
Reference: https://support.mozilla.org/en-US/questions/1019210 complete with typo. – Manngo Dec 15 '19 at 01:31
This answer is a duplicate of the following answer on Mozilla support forums: support.mozilla.org/en-US/questions/1019210#answer-627032 – Armen Michaeli Feb 22 '20 at 12:44

Firefox redirects to https

18 Answers18

Linked