Safari 在本地主机上不断强制 HTTPS

Question

When I load http://localhost:3000 in Safari, Safari automatically redirects to https://localhost:3000 . How can I disable this functionality?

I went into ~/Library/Cookies/HSTS.plist and removed the localhost entry, then restarted Safari but it just re-added it to that plist file and redirected to https.

Any ideas how to fix this so that on localhost I have to explicitly say http or https?

Answer 1

I was able to solve this based on an answer from Ask Different .

In short, closing Safari, then running the commands below, worked.

sudo killall nsurlstoraged
rm -f ~/Library/Cookies/HSTS.plist
launchctl start /System/Library/LaunchAgents/com.apple.nsurlstoraged.plist

Restarting Safari after running that and trying to go to http://localhost:3000 solved the problem and did not redirect to to https .

Hopefully this helps someone fix this problem.

Answer 2

In Safari 13.0.5, deleting website data for localhost ( Safari > Preferences > Privacy > Manage Website Data... ) solves the problem.

Answer 3

This also happens if the Content Security Policy "upgrade-insecure-requests" is set. There is an open issue here: https://github.com/github/secure_headers/issues/348

Answer 4

You can try

deleting website data for localhost (Safari > Preferences > Privacy > Manage Website Data...)

After that close browser and try it.

If cannot you can try make different port 80 after back port 80 for localhost

Answer 5

After following the fix by Charlie with no luck, what worked for me was running a private window. and after a restart, everything seemed fine on both private and public tabs.

Answer 6

It's possible to use http://127.0.0.1:3000 instead. Or your local computer name. For example: http://andis-mac-5.local:3000 .

You can determine the local computer name from system preferences - Share - Edit :

Answer 7

First of all lets confirm why it is going to HTTPS.

In Developer Tools is it showing a 301 or 302 redirect?

If so it's your web server saying to go to HTTPS. Fix your web server config.

Or is it a 307 redirect which indicates HSTS?

To be perfectly honest I'm not sure if Safari shows this as a 307 (a fake internal redirect to represent HSTS), so it might just go there without showing this, but Chrome does show this.

If so, then deleting that file and restarting should solve that. However can you confirm if the HTTPS site is returning a strict-transport-security HTTP Header? If so then it will just set that next time you happen to go to HTTPS (including if your page loads and image over HTTPS). Can you remove that header? Or better yet, publish it with a max-age of 0 so it removes it from the HSTS browser cache without having to figure out which file it's in or if Safari have moved it from ~/Library/Cookies/HSTS.plist