How to stop an automatic redirect from “http://” to “https://” in Chrome



I had something set up wacky in our DNS setup which is now resolved.

The remaining problem is that chrome has cached the incorrect setup.

Specifically, when using Chrome is now redirecting to (naked domain), which is not valid/supported. SHOULD redirect to and then force

But on a handful of browsers (including mine) this doesn't happen because of some funky Chrome caching. I tried going to “Privacy -> Clear Cache” but it had no effect.

phil swenson

Posted 2013-03-13T17:40:54.940

Reputation: 4 169


check your plugins (like SSL everywhere) , have you tried to delete (shift+del)? Try to use instead of google.xx.

– malakrsnaslava – 2013-03-14T00:25:24.380


possible duplicate of How can I make Chrome stop caching redirects?

– Ulrich Schwarz – 2013-07-05T18:25:53.470



Anon is right about STS, but there is a way to specifically delete your domain from the set.

  1. Go to chrome://net-internals/#hsts. Enter under Delete domain security policies and press the Delete button.

  2. Now go to chrome://settings/clearBrowserData, tick the box Cached images and files and press click the button Clear data.


Posted 2013-03-13T17:40:54.940

Reputation: 6 249

1This helped me as well!!! While developing internally and having the same problem of the redirect! – Marcello de Sales – 2015-07-12T03:11:34.823

2Man, this had been bugging me for ages, finally got it, thanks! A potential gotcha of note: If the domain you're having trouble with is a subdomain you may need to delete the primary domain from the HSTS set if "include subdomains for STS is set to true". If you run a query on the parent domain you should see if that's set or not for the domain in question. – Pooch – 2016-01-06T17:40:54.470


This only worked for me after I also cleared my browser cache. In chrome: Settings > Show advanced settings… > Privacy > Clear browsing data... Source

– nittyjee – 2017-07-21T06:30:37.677

2This is now found under the Domain Security Policy menu item on the left of the page – Brice – 2017-11-06T17:14:43.060

hsts has been removed from the menu. It is hidden in chrome://net-internals/#hsts – Nick – 2017-11-14T20:15:27.223

7Since 63.0.3239.132 this does nothing. The rule seems to be disregarded and even custom domains that link to localhost is now redirected to https. Annoying factor to have to use self-signed certificates for everything... – Daniel – 2018-01-05T08:59:48.153

@Daniel working with 64.0.3282.186 and works as expected. The only weird is, it doesnt notice you when sometings happend. I entered all pages i called (http://foobar.xo, https://foobar.xo, foobar.xo, foobar.xo/helloWorld) than finaly it worked again. – Dwza – 2018-03-20T10:23:39.037

It seems to work fine also with Chrome 66 and deprecated Symantec's certs. – Dragan Marjanović – 2018-04-20T09:31:12.470

yeah seems google and firefox now have non-standard redirects to https, rendering both browsers leaning on internal rules that only apply to google internal developers. aka not internet standard, google internal it policy on the world. #losers – Dawesi – 2018-08-19T12:22:52.097

A comment on @nittyjee : not not loose your precious browsing-history and cookies, in Chrome you may just clear "cached files and images". – ankostis – 2018-10-10T21:50:57.890

Does not work in Incognito mode. You have to restart Chrome if you opened HTTPS version of website in Incognito mode and want to keep all other tabs opened :( – izogfif – 2018-11-09T12:02:10.770

@ducpho What exactly is domain security policies? I am testing something, if I delete it, will the browser create it again? Am I safe in deleting it? What will I lose? Edit: nevermind, I read this answer and I got my questions answered:

– Shayan – 2019-08-12T16:54:15.530


My problem came from having a .dev domain, which was apparently recently registered as a gTLD and put in a commit to Chrome Canary. I found this out from a recent post I came across as I searched for my problem.

If you have the same problem I do, it appears that the best solution is to change your domain to be something other than .dev. The article suggested .test with a potential solution of .localhost later down the road (via this proposal).

Louie Bertoncin

Posted 2013-03-13T17:40:54.940

Reputation: 2 171

40This was the issue for me as well. On my local development machine I utilized .dev for almost 10 years now. I did a recent Google Chrome update and it started redirecting all of my sites to https for no reason I could understand. Would have never thought it had to do with the .dev, then I came across this answer and changed it to .development and all works well again ... For now :-) . Thanks again! – conrad10781 – 2017-12-08T20:04:26.933

17Perfect! I don't understand why Chrome will do something like that, it's very annoying as I have nearly 30 .dev domains in my local. Hope it's a very, very good reason. – Pablo Ezequiel Leone – 2017-12-11T09:00:51.910

4I have wordpress installed, changing its domain might be a real headache. same for the main directory name ect. is there any other way around? – Rick Sanchez – 2017-12-11T16:26:57.010

9It's because Google bought .dev and presumably will start making public sites using it. – Hilton Shumway – 2017-12-11T18:41:27.017

1Thank you! Please upvote this for visibility. Very annoying change indeed. p.s. quickest solution is switching to safari :p sorry chrome! – e_x_p – 2017-12-11T19:49:17.573

16FML… I almost gave up on my 10+ year web dev career because of this. #starbucksbarista – elbowlobstercowstand – 2017-12-13T22:34:56.373

3Absolutely preposterous of google to effectively kill its usage for local machine development. If is directed elsewhere, the user or the tech knows why it's set that way. **Google should have at least put a note on the page If you're using .dev, do this... – Regular Joe – 2017-12-20T18:13:56.103

Looks like Safari is doing the same thing. – bob – 2017-12-21T05:04:14.543

Can't use .localhost (or for that matter, any non-registered TLD.. ironically this is what allowed us to use .dev until now) with Google OAuth because their API throws "Invalid Redirect: ... must end with a public top-level domain (such as .com or .org)". This might force us to use Firefox exclusively for development, except that we least need to QA in Chrome. So for now, we're just using http://localhost/ as fundamentally recommended by that RFC. It's so fascist...

– Charney Kaye – 2017-12-31T22:43:20.230

Not a quick fix but a work-around for testing Chrome, Safari, etc. is to use Docker and place your web server, etc. in a Docker instance. Not ideal for the short term, but long term it may be more beneficial. I too have been using the .dev to map to localhost on Linux for years now. Very annoying... – RyanNerd – 2018-01-02T22:15:38.000

1Oh, so it was an issue with Chrome after all. I couldn't find anything of note in the changelogs and on the web. Things still work well in Firefox, IE and Edge, so I thought Chrome (and Opera) had broken something pretty bad, and I was tearing my hair thinking why clearing stuff from chrome://net-internals/#hsts or chrome://net-internals/#dns weren't working!! Thanks for the answer. – kumarharsh – 2018-01-17T07:13:14.673

a billion points to you! – dangel – 2018-01-19T00:01:13.817


If you're running a local VM with a separate IP, don't use .localhost and use something like .test instead. On macOS .localhost will skip the hosts file and directly route to local loopback and be inaccessible.

– mopsled – 2018-01-25T08:54:42.263

Tried everything else and this was the exact issue! Thanks a bunch. For anyone else using valet, you can switch your domain extension via valet domain test (where test is the extension you would like to use) – David – 2018-02-04T19:22:20.280

I'm experiencing the same issue as well. What the hell is wrong with Chrome developers?! – Slavik Meltser – 2019-03-25T01:57:15.237

Firefox appears to be doing this for me, too. It's not happening in safari, though. – StevieD – 2019-04-12T15:01:00.180

A day and a half gone forever for this to be the answer. May the gods of the votings have the favors upon you. – Code Maverick – 2019-04-26T21:55:17.407

20 sends the Strict-Transport-Security header so accessing it over https once will make browsers like Chrome/Firefox redirect http requests to https until some specified point in the future.

As the other answer said, the only way to stop this once it starts is to clear the browser cache (or wait for the browser to expire the order).


Posted 2013-03-13T17:40:54.940

Reputation: 830


To delete domain under "HSTS" menu in chrome://net-internals is a temporary solution. After visiting this domain over HTTPS it will be included in HSTS list again.

Basicaly, to solve this issue it is necessary to disable HTTP Strict Transport Security on the web-server (IIS, Apache, nginx,...). For nginx edit its HTTPS section in nginx.conf and set 'max-age=0' for Strict-transport-Security:

server {
        ssl on;
        add_header Strict-Transport-Security "max-age=0;";

More info:HTTP Strict Transport Security (HSTS)


Posted 2013-03-13T17:40:54.940

Reputation: 71

I wasn't able to get the add_header method to work. – Alex Barker – 2016-01-26T06:49:47.343

for me the server did not issue a HSTS header so this is not a solution. From what I can tell, chrome recorded when I accidentally visited it with https and created an internal HSTS record that then mysteriously redirected me to https everytime. Fix was to use the delete HSTS record in chrome:net-internals. Had a handy checker in there as well. – rob – 2017-05-15T13:53:54.433

1To delete HSTS record is a temporary solution. You will get this record in chrome again and again after visit https untill server send "max-age=0". – user2285323 – 2017-05-16T17:46:31.343


There could be a couple of reasons for this, including plugins but assuming that you do not have any plugins installed you can do the following:

Goto Settings/Privacy/Clear Browsing Data...

Select The Beginning of Time in the pull down.


  • Clear saved Autofill form data
  • Delete cookies and other site and plug-in data
  • Empty the cache

Select Clear Browsing Data

This should take care of it doing any Auto-fill based on your previous browsing. Also, it will remove any of the cookies that could also be causing problems.


Posted 2013-03-13T17:40:54.940

Reputation: 718

The problem for me was the cache. I was able to go to my http site fine in firefox and a chrome incognito window. There were no cookies for the site. – ton.yeung – 2016-08-29T14:40:21.613

1This also worked for me where the HSTS did not. I only had to check the "Images and Files" checkbox. – dgig – 2017-03-01T16:16:01.900

This worked for me, while HSTS and other solutions did not. – AllisonC – 2017-04-07T13:54:19.103

This worked for me as well. – jcubic – 2018-10-24T15:17:06.083


If you are facing the problem on a subdomain then this line in Nginx might cause a problem even if the subdomain is in another server, as the browser will cache this information.

add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";

so remove the includeSubdomains; of it to make it work.


Posted 2013-03-13T17:40:54.940

Reputation: 363



None of the option fixes worked for me, for fixing https://localhost:3000, this did.

Click and hold reload button and select “Empty Cache and Hard Reload,” this seems to only be an option on localhost.

Screenshot of the “Empty Cache and Hard Reload” option.


Posted 2013-03-13T17:40:54.940

Reputation: 195

2To make this work on Chrome Version 77.0.3865.90 (Official Build) (64-bit) (MacOS), I had to do this [1] (after opening problematic page) Right click anywhere and click on Inspect [2] After the inspect frame appears, click and hold on reload button [3] in the drop-down that appears, click on Empty Cache and Hard reload – y2k-shubham – 2019-09-27T07:55:28.470


Before few days I accidentally turned on Chrome options named:

  • Automatically send some system information and page content to Google to help detect dangerous apps and sites
  • Protect you and your device from dangerous sites

And now the main problem was that our website on subdomain always redirect from http:// to https:// and browser gave me an error:

"Your connection is not private. Attackers might be trying to steal your information from (for example, passwords, messages, or credit cards). NET::ERR_CERT_COMMON_NAME_INVALID"

Open chrome://settings/privacy and turn previously named chrome options that automatically protect your devices. Hope this will help someone.


Posted 2013-03-13T17:40:54.940

Reputation: 41

Didn't seem to work for me. – Dave Burton – 2017-10-11T09:43:00.727


A less drastic alternative than clearing all cookies ever is Settings>Show advanced settings>Content Settings>All Cookies and site data then search for the sites in question and clear cookies for only those.


Posted 2013-03-13T17:40:54.940

Reputation: 151

Thanks this works perfectly. I don't know why Chrome makes this such a hidden feature.....well actually, I can guess why... – ktec – 2016-12-06T10:05:13.273

1this doesn't seem to work with current Chrome version. – Vylix – 2018-07-17T03:01:10.813


in Chrome 66, lots have changed in the Settings tab

you can just go to chrome://settings/resetProfileSettings?origin=userclick then hit reset.

this worked for me.


Posted 2013-03-13T17:40:54.940

Reputation: 21

This will reset ALL your settings. – Rafal Enden – 2020-02-27T15:05:37.243