Sunday, August 26, 2018

Chrome browser always redirects http to https

When I access some website, it always redirects the URL from http to https even I manually enter I wonder how it happens so dig it a bit further and find out Chrome always does a 307 Internal Redirect

How to stop an automatic redirect from “http://” to “https://” in Chrome?
To answer this question, we need understand why Chrome behaves in this way. specifies HTTP Strict Transport Security

HTTP Strict Transport Security (HSTS) is an opt-in security enhancement that is specified by a web application through the use of a special response header (Strict-Transport-Security). Once a supported browser receives this header that browser will prevent any communications from being sent over HTTP to the specified domain and will instead send all communications over HTTPS.

For example:

Strict-Transport-Security: max-age=31536000; includeSubDomain

The main benefits HSTS can bring in terms of security:
  1. HSTS automatically redirects HTTP requests to HTTPS for the target domain
  2. HSTS does not allow a user to override the invalid certificate message
Here are solutions to stop HSTS:
1) Server side: Disable on web server side, for instance, on Nginx, set max-age to zero
add_header Strict-Transport-Security "max-age=0;";

2) Client side: Delete domain security policies from browser side, for instance, go to chrome://net-internals/#hsts and delete the target domain. However, you cannot delete browser preloaded entries


No comments:

Post a Comment