How to permanently exclude localhost from HSTS list in Google Chrome

Question

This is a followup question to Google Chrome redirecting localhost to https.

Does anyone know, how to permanently exclude localhost from HSTS list in Google Chrome?

Or, any other elegant solution that wouldn't require developer to visit chrome://net-internals/#hsts and delete localhost every time when switching from working on an HTTPS project to a different project on HTTP?

Sushant Pimple · Accepted Answer · 2016-09-23 07:13:10Z

85

You can follow the solution here.

When Google Chrome keeps redirecting your localhost Url from http://localhost to https://localhost, do the following:

Open the Developer Tools panel (CTRL+SHIFT+I)
Click and hold the reload icon
A menu will open
Choose the 3rd option from this menu (“Empty Cache and Hard Reload”)

answered Sep 23, 2016 at 7:13

Sushant Pimple

1,4951 gold badge14 silver badges26 bronze badges

3

Cool! Too bad these options don't pop out without Developer Tools. I'm still looking for a more "permanent" solution, but this definitely helps! Thanks!
– Bugs Bunny
Commented Sep 23, 2016 at 15:50
12

Hmm, here on Chrome 79.0.3945.117 on windows, and this solution didn't work. I continued to get the 307 redirect. I still had to visit chrome://net-internals/#hsts and delete it.
– Johann
Commented Jan 15, 2020 at 16:50
2

Step 1.5 is switch back to the tab from which you're loading the localhost page/path.
– Kenny Evitt
Commented Jul 17, 2020 at 19:36
1

I had a redirect setup in my /etc/hosts file for localhost.[some-domain].com and [some-domain].com had an entry in chrome://net-internals/#hsts. In this case attempt to delete the localhost.[some-domain].com and if that doesn't work try deleting [some-domain].com from hsts.
– Sunny Patel
Commented Nov 16, 2023 at 22:47
i found this working to also clear some pre-cached HSTS value (or whatever it was) so that i could finally always end up in the http:// mode for a page view - instead of getting permanent redirection to https:// mode for the same page address.
– Alexander Stohr
Commented Jan 23 at 14:09

Add a comment |

Bugs Bunny · Accepted Answer · 2024-09-15 15:39:56Z

15

+50

Update:

You can install a proper SSL certificate for those domains if you want to for free, so you won't need to mess around with HSTS. Take a look here.

You may edit your system's hosts file:

On Windows: C:\Windows\System32\drivers\etc\hosts
On Linux: /etc/hosts

In there you can define a different domain for each project:

 127.0.0.1    project1.local
 127.0.0.1    project2.local
 127.0.0.1    projectN.local

Note: I'm using *.local domains (you can use virtually anything) because you have already set localhost to redirect to https, and such we have to use a different domain. Although I strongly recommend you to install a real SSL certificate and reset to default any modifications you have made on HSTS.

Once saved, when you navigate to those domain in any browser it will load from 127.0.0.1 (localhost). If you use apache/nginx as server you optionally can define VirtualHosts for each domain also so you don't need to change your httpd folder every time you switch projects.

Then of course you will have to re-issue any certificate that you may have for those projects for the new domains, but those would be unique for each project. And on Chrome you would not need to be messing net-internals more than once for each domain for the projects which you don't have a certificate (and 0 times for those with certificate).

edited Sep 15 at 15:39

Bugs Bunny

2,6441 gold badge27 silver badges34 bronze badges

answered Sep 24, 2016 at 0:10

emiliopedrollo

9506 silver badges21 bronze badges

1

Good one, however this only works if you omit the .localhost part. (If I keep it there, it still redirects to https.) Could you please edit your answer?
– Bugs Bunny
Commented Sep 25, 2016 at 11:17
Edited, also added an alternative to HSTS.
– emiliopedrollo
Commented Sep 26, 2016 at 5:45
Doesn't work for me: Chrome still switches to https and port 8443.
– Shannon
Commented Aug 16, 2018 at 16:06
Have you cleared the HSTS for the domain? This answer provides an alternative to use several projects in the localhost it will not work if you use more than one project per domain with different security requirements.
– emiliopedrollo
Commented Aug 16, 2018 at 16:35
1

Please note that project1.dev, local.dev and other *.dev are not good choices simply because Chromium started enforcing HSTS soon after Google bought .dev as gTLD.
– Bugs Bunny
Commented Oct 29, 2019 at 18:39

| Show 1 more comment

marciowb · Accepted Answer · 2019-10-09 14:35:44Z

13

Chrome 78 supports a policy called HSTSPolicyBypassList. You can list "localhost" as a domain to bypass HSTS. To configure Chrome policy on Linux, just create a file at /etc/opt/chrome/policies/managed/policies.json with the following content:

{
    "HSTSPolicyBypassList": [
        "localhost"
        ]
}

You can see the policies loaded by Chrome, typing chrome://policy/ at address bar.

answered Oct 9, 2019 at 14:35

marciowb

4292 gold badges8 silver badges15 bronze badges

3

For Brave browser I had to create this file at: /etc/brave/policies/managed/policies.json
– Haprog
Commented Jul 4, 2022 at 8:09
2

anybody happen to have the right path for Microsoft Edge on MacOS? thanks!
– silent
Commented Jun 3 at 14:20

Add a comment |

yanckst · Accepted Answer · 2019-10-29 20:14:44Z

Not a permanent fix (security issue can be involved)

I found a "fix". Something interesting, but cannot be a permanent fix because it can cause multiple security issues.

Here's what I did:

Open Google Chrome
In the Search Bar type chrome://flags/#allow-insecure-localhost
Enabled Allow invalid certificates for resources loaded from localhost.

If you reload your application, the warning should be gone.

PS I did that because I needed to recreate a certification but didn't have the time. That's why I did that. I'll turn off this when my certification will work locally.

seanp2k · Accepted Answer · 2022-06-03 18:27:19Z

I got sick of deleting localhost from chrome://net-internals/#hsts , so I learned how to create a profile for macOS that sets two Chrome policies: HSTSPolicyBypassList + CertificateTransparencyEnforcementDisabledForURLs

Here is a repo with the installable profile for macOS that configures the policy, along with notes on why defaults write com.google.Chrome HSTSPolicyBypassList -string "localhost" doesn't work. https://github.com/ip2k/I-Dont-Care-About-HSTS-For-Localhost

Additionally, chrome://flags/#allow-insecure-localhost and https://chromedevtools.github.io/devtools-protocol/tot/Security/#method-setIgnoreCertificateErrors might be interesting for people working with this frequently or in headless environments. I've added links in the aforementioned repo to anything relevant I could find about this as well. PRs welcome!

radarsu · Accepted Answer · 2023-01-04 11:42:49Z

0

For Brave Windows users, you need to add it like this via Registry Editor, under Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\BraveSoftware\Brave\HSTSPolicyBypassList, with key 100 and value localhost:

And you can verify that it's working under brave://policy.

answered Jan 4, 2023 at 11:42

radarsu

1,2621 gold badge9 silver badges12 bronze badges

Add a comment |

Collectives™ on Stack Overflow

How to permanently exclude localhost from HSTS list in Google Chrome

6 Answers 6

Not a permanent fix (security issue can be involved)

Not the answer you're looking for? Browse other questions tagged
google-chrome
localhost
hsts
or ask your own question.

Linked

Hot Network Questions

Collectives™ on Stack Overflow

6 Answers 6

Not a permanent fix (security issue can be involved)

Not the answer you're looking for? Browse other questions tagged google-chromelocalhosthsts or ask your own question.

Linked

Related

Not the answer you're looking for? Browse other questions tagged
google-chrome
localhost
hsts
or ask your own question.