Something in my Django code is forcing development server (runserver) redirection from http to https.
I get these logs by docker web container after running docker compose up -d --build and trying to access my website development server:
2023-07-04 10:16:50 Starting development server at http://0.0.0.0:8000/
2023-07-04 10:16:50 Quit the server with CONTROL-C.
2023-07-04 10:16:49 Watching for file changes with StatReloader
2023-07-04 10:18:03 [04/Jul/2023 08:18:03] "GET / HTTP/1.1" 301 0
2023-07-04 10:18:03 [04/Jul/2023 08:18:03] code 400, message Bad request version ('YñEë\x99õUÂ~Ô¾OÝ6P+')
2023-07-04 10:18:03 [04/Jul/2023 08:18:03] You're accessing the development server over HTTPS, but it only supports HTTP.
These are my django security settings in:
SECURE_SSL_REDIRECT = os.environ.get("DJANGO_SECURE_SSL_REDIRECT", default=True)
SECURE_HSTS_SECONDS = int(os.environ.get("DJANGO_SECURE_HSTS_SECONDS", default=2592000))
SECURE_HSTS_INCLUDE_SUBDOMAINS = os.environ.get("DJANGO_SECURE_HSTS_INCLUDE_SUBDOMAINS", default=True)
SECURE_HSTS_PRELOAD = os.environ.get("DJANGO_SECURE_HSTS_PRELOAD", default=True)
SESSION_COOKIE_SECURE = os.environ.get("DJANGO_SESSION_COOKIE_SECURE", default=True)
CSRF_COOKIE_SECURE = os.environ.get("DJANGO_CSRF_COOKIE_SECURE", default=True)
But i changed them to make them False in development with environment variables in .env file:
DJANGO_DEBUG=1
DJANGO_SECURE_SSL_REDIRECT=False
DJANGO_SECURE_HSTS_SECONDS=0
DJANGO_SECURE_HSTS_INCLUDE_SUBDOMAINS=False
DJANGO_SECURE_HSTS_PRELOAD=False
DJANGO_SESSION_COOKIE_SECURE=False
DJANGO_CSRF_COOKIE_SECURE=False
But actually these seem ok and I got the same problem, https is forced.
Please what could cause the forcing of redirecting from http to https? I tried changing browser (chrome and firefox), changing env variables, deleting browser cache and basically everything I found on the internet but nothing changes this behaviour. It seems not a browser problem, but is my code that is doing this.
I think is possible I set in a wrong way and made a mess with DJANGO_SECURE_HSTS_SECONDS, maybe at some point in my settings.py I set it to a very big number and probably didn't set well the env variables in development .env file, so that now my local server is being redirected to https for a very long time (there is a warning about it in django documentation)? Is it possible? What should I do in such situation?
