Safari keeps forcing HTTPS on localhost

Question

When I load http://localhost:3000 in Safari, Safari automatically redirects to https://localhost:3000. How can I disable this functionality?

I went into ~/Library/Cookies/HSTS.plist and removed the localhost entry, then restarted Safari but it just re-added it to that plist file and redirected to https.

Any ideas how to fix this so that on localhost I have to explicitly say http or https?

Charlie Fish · Accepted Answer · 2018-09-27T18:40:27.520

74

I was able to solve this based on an answer from Ask Different.

In short, closing Safari, then running the commands below, worked.

sudo killall nsurlstoraged
rm -f ~/Library/Cookies/HSTS.plist
launchctl start /System/Library/LaunchAgents/com.apple.nsurlstoraged.plist

Restarting Safari after running that and trying to go to http://localhost:3000 solved the problem and did not redirect to to https.

Hopefully this helps someone fix this problem.

edited Sep 27 '18 at 18:40

answered May 18 '18 at 19:58

Charlie Fish

18,491
19
86
179

2

Worked for me too. – Cindy Conway Nov 05 '18 at 21:43
Yes, thank you, Charlie Fish! Also note: if you have System Integrity Protection enabled, you won't be able to delete HSTS.plist. In that case, you'll need to [disable SIP](https://www.imore.com/how-turn-system-integrity-protection-macos) before running these commands. Be sure to enable it again after you're done! – Michael Bester Mar 04 '19 at 18:26
19

`rm -f ~/Library/Cookies/HSTS.plist` failed for me with an `Operation not permitted`error. But I could delete the file in the Finder just fine. – Karsten Silz Mar 31 '19 at 11:33
2

Was able to execute the first and third lines. `rm -f ~/Library/Cookies/HSTS.plist` also failed for me, even as `sudo`. When reopening Safari, https is still forced and I am unable to develop locally. I'm running Mac OS 10.15.6 and safari 13.1.2. – Will Nielsen Aug 09 '20 at 14:25
@MichaelBester I'm on Catalina with SIP enabled and I could delete the file without issues. – mgol Sep 09 '20 at 14:01
Also on Catalina, and received the `Operation not permitted` error when attempting `rm -f ~/Library/Cookies/HSTS.plist` – Jeff Evans Sep 10 '20 at 20:34
9

This partially worked for me, I can access `http:localhost` but it tries to get `.js` and `.css` files using https. says "Failed to load resource: An SSL error has occurred and a secure connection to the server cannot be made." anyone else have this issue? – Rich Nov 12 '20 at 22:42
@Rich, Did you get any solution? – Shibbir Ahmed Jan 12 '21 at 20:45
I did not remove `HSTS.plist` as I like to keep my other security preferences. I opened the file with a text editor (BBEdit), searched for `localhost`, deleted the `key` entry and the following `dict` entry, then saved the file. Then did the third step and it worked. – Dirk Jan 17 '21 at 11:27
@Shibbir Ahmed I have not. – Rich Jan 31 '21 at 18:48

score 26 · Answer 2 · answered Jan 30 '20 at 23:06

26

In Safari 13.0.5, deleting website data for localhost (Safari > Preferences > Privacy > Manage Website Data...) solves the problem.

answered Jan 30 '20 at 23:06

David Moles

48,006
27
136
235

5

I've tried this on two different Macs, one Catalina, one Mojave, and this does not work for me on either. @charlie-fish's answer DID work for me. – bmauter May 19 '20 at 03:52
There is no entry for localhost in my settings – SimaPro Feb 15 '21 at 16:18
This worked for me in Safari Version 16.3 (17614.4.6.11.4, 17614). MUCH EASIER than closing Safari, since all my windows would then open in the same Desktop, which is a MAJOR BUG on Apple's part ‍♂️. (They only preserve window placement when restarting your Mac.) – iconoclast Mar 02 '23 at 19:53

score 4 · Answer 3 · answered Feb 07 '21 at 16:34

4

You can try

deleting website data for localhost (Safari > Preferences > Privacy > Manage Website Data...)

After that close browser and try it.

If cannot you can try make different port 80 after back port 80 for localhost

answered Feb 07 '21 at 16:34

tranchau

103
7

score 4 · Answer 4 · answered Feb 14 '22 at 09:55

4

This also happens if the Content Security Policy "upgrade-insecure-requests" is set. There is an open issue here: https://github.com/github/secure_headers/issues/348

answered Feb 14 '22 at 09:55

einSelbst

2,099
22
24

Oh my god, I simply can't believe that, thanks for pointing that out!! It ends up my problem was exactly that; a meta tag in the HTML head enabling that policy. – Machado May 10 '22 at 22:40
Worked for me with Next Js React app – Dijo Jun 11 '23 at 05:52

score 2 · Answer 5 · answered Aug 26 '21 at 11:03

2

After following the fix by Charlie with no luck, what worked for me was running a private window. and after a restart, everything seemed fine on both private and public tabs.

answered Aug 26 '21 at 11:03

MartinsOnuoha

514
5
9

This worked for me. Thanks – Nilanjan Sep 29 '21 at 17:19

score -3 · Answer 6 · answered Aug 11 '20 at 07:15

-3

It's possible to use http://127.0.0.1:3000 instead. Or your local computer name. For example: http://andis-mac-5.local:3000.

You can determine the local computer name from system preferences - Share - Edit:

answered Aug 11 '20 at 07:15

andy

1,035
1
13
35

Why downvote? For me not to use `localhost` with Safari solved the problem. I think it's a good hint for people who want to have an easy workaround and do not stick to the `localhost` URL. – andy Aug 22 '20 at 18:37
This didn't work for me either. It still tries to upgrade the connection of referenced stylesheets, etc. – tgf Oct 23 '20 at 17:53
@tgf, probably your stylesheets are referenced with absolute URLs. Try to use relative URLs: ``. Omit the server name in the `href`-attribute. It will be different anyways once you deploy your site to a server. – andy Oct 28 '20 at 08:29
You are downvoted because you can not simply swap out a domain name because it is conveniant. – Cochise Ruhulessin Jan 06 '21 at 01:44
@CochiseRuhulessin, `localhost` is not a domain name. It is a provisional name for your machine during development. So it must be changed for production use anyway... and in the mean time `localhost` is also working for me in Safari. Maybe they changed something in a recent Safari update? – andy Jan 13 '21 at 08:20

Barry Pollard · Answer 7 · 2018-01-16T09:08:02.557

First of all lets confirm why it is going to HTTPS.

In Developer Tools is it showing a 301 or 302 redirect?

If so it's your web server saying to go to HTTPS. Fix your web server config.

Or is it a 307 redirect which indicates HSTS?

To be perfectly honest I'm not sure if Safari shows this as a 307 (a fake internal redirect to represent HSTS), so it might just go there without showing this, but Chrome does show this.

If so, then deleting that file and restarting should solve that. However can you confirm if the HTTPS site is returning a strict-transport-security HTTP Header? If so then it will just set that next time you happen to go to HTTPS (including if your page loads and image over HTTPS). Can you remove that header? Or better yet, publish it with a max-age of 0 so it removes it from the HSTS browser cache without having to figure out which file it's in or if Safari have moved it from ~/Library/Cookies/HSTS.plist

Safari keeps forcing HTTPS on localhost

7 Answers7

Linked