Safari forcing HTTPS for some HTTP only sites

In my case, yes, the problem was caused by the server that has the web site. However there might be other reasons that are unclear at the moment.

You can check whether the problem is similar to mine by going to URI Valet (just found it on Google) and entering the web address into the first input named URI. Tick the check box Check Server Headers Only, ignore all of the other inputs and click Submit.

You can try with both http and https.

You can see the header information that the server sends back to you under SERVER RESPONSE. If you see a line that reads Strict-Transport-Security you're having the same problem I had. If not there'll likely be a different cause for which I'm afraid I don't have a solution yet.

Thanks so much for the info and simple instructions. I didn't see that line anywhere in there. Ended up downloading Chrome and accessing the site with that instead. I'll see if I can get one of my tech-oriented friends to take a look at it this weekend. Thanks again!

You're welcome. That's a weird issue and I hope one of you finds out what's the reason behind all this.

I found out how to delete the Strict Transport Security (HSTS) history from Safari since clearing the browsing history or even completely resetting Safari alone didn't work. As we know, the web server sends a time value along with the HSTS header. Safari stores those sites a file in ~/Library/Cookies/HSTS.plist. Open that file and look for your domains, they might have send that header at some point in the past. If you're domain is not listed, probably the HSTS isn't responsible for redirecting to HTTPS. If it is, you can delete it from the list doing the following:

1. Remove cookies for that domain in Settings > Privacy > Details…

You might also have clear the browsing history and/or reset Safari, unfortunately I'm not sure what worked for me.

2. Close Safari

3. Rename or delete ~/Library/Cookies/HSTS.plist

When you open Safari now and browse to your site it should work. As I said, I can't tell anymore which variation in step 1 did the trick for me. You could also try to let your web server send the HSTS header with a lifetime of 60 seconds for Safari to quickly disregard it.

The HSTS.plist is recreated some time after launching Safari and probably will still contain all the other HSTS sites that it had previously. In my case it has accounts.google.com and twitter.com among others.

No way for me too. While other "minor" browsers, such as Firefox, Chrome and Sleipnir will open the right page, Safari keeps redirecting to https, whatever you'll do: that drove me crazy without absolutely any reason on earth.

Provided that this issue will be fixed in a next release (the one included in Yosemite? I won't believe it), will the issue be persistent for users who experienced it before, like us?

Streeme, did you manage to reset the history in Safari? Since the HSTS.plist is recreated after deleting it Safari has to save those entries somewhere else., otherwise the file would be empty after recreating it. If the current Safari has some issues with following the instructions for Strict Transport Security and a future version, e.g. in Yosemite, fixes those then you should be able to access the site without being redirected. I can't tell whether Safari is faulty and it's weird that other browsers work fine. Is the web server for your site sending an HSTS header? See the instructions I posted above to check.

Well, I have the same problem, and it drives me nuts!

I have a debian server running an apache 2 web server, hosting toto.mydomain.com, with http and https connections. Depending on the http or https address, 2 web sites are then displayed. BUT, safari still automatically redirects me to the https address. I have tested everything mentioned above, nothing works. I have even modified the web server response to set HSTS response to 0:

> curl -I https://toto.maydomain.com

HTTP/1.1 200 OK

Date: Sat, 29 Nov 2014 13:53:48 GMT

Server: Apache/2.2.22 (Debian)

X-Powered-By: PHP/5.4.35-0+deb7u2

Set-Cookie: 52152665cd64c=s5kjtuc3muhphhu5q8lq8ovvp4; path=/; HttpOnly

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Strict-Transport-Security: max-age=0

X-XSS-Protection: 1; mode=block

X-Content-Type-Options: nosniff

X-Frame-Options: Sameorigin

Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-src *; img-src *; font-src 'self' data:; media-src *

X-Robots-Tag: none

Vary: Accept-Encoding

Content-Type: text/html; charset=utf-8

But safari keeps redirecting me to the https version of the website.

I really don't understand what is happening.

But if I use a fresh new account on the system, this redirection does not occur any more, even if I visit the https version of the website.

So a cache, somewhere in the system, must be cleared. But which one? HSTS.plist removal has no effect here.

EDIT : the only solution I had not tried was to reboot the system after 1/ clearing the cache, 2/ deleting every entries for toto.mydomain.com from the history, and 3/ deleting HTST.plist. And ... it works now!

In Safari 8, "Clear History and Website Data...", quitting Safari, rm ~/Library/Cookies/HSTS.plist, and restarting Safari cleared this up for me...

Doesn't that clear all your logins and stuff from every other site you have?

Apple come on!

Look here, I have changed it: https://www.dropbox.com/s/ny2vfqat6mtrnyz/Sk%C3%A4rmklipp%202015-06-10%2000.01.3 6.png?dl=0

And then right after it changes back: https://www.dropbox.com/s/akp8zphv2dykzjs/Sk%C3%A4rmklipp%202015-06-10%2000.02.4 7.png?dl=0

I can't force Safari to visit the http version by typing it in either....

EDIT: If I use the IP however, I can choose manually, and change the bookmark... very strange...

Sorry but this didn't solve the problem in my case.

OS X 10.11 El Capitán hasn't neither solved this annoying behavior.

Any other idea?, or do I have to continue using Chrome just for connecting to my intranet server...

Regards,

Francis Perea

I had the same problem ...

In safari i cleared all cookies and the entries in the history regarding the https site and quit safari. In /library/Cookies i deleted all files with "safari" in its name and the "HSTS.plist"

Started safari and everything is fine 🙂

So I have to say that I have had no luck when it comes to resetting Safari. I actually created a brand new local user account and tried it there, but it still switches to https. I figured that I have my server configured wrong using Strict Transport Security, however that is not the case. I did, but I removed the line in the nginx config file. when I do the curl -I thingy I get this:

mbp:~ user$ curl -I http://www.domain.com

HTTP/1.1 200 OK

Server: nginx

Date: Mon, 14 Dec 2015 14:40:40 GMT

Content-Type: text/html; charset=UTF-8

Connection: keep-alive

Vary: Accept-Encoding

Set-Cookie: frontend=j0il7j0lr16fb2inuj2hsf1i66; expires=Wed, 13-Jan-2016 14:40:39 GMT; Max-Age=2592000; path=/

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

X-Frame-Options: SAMEORIGIN

X-Config-By: LD

X-Frame-Options: SAMEORIGIN

X-Content-Type-Options: nosniff

X-XSS-Protection: 1; mode=block

X-UA-Compatible: IE=Edge,chrome=1

X-Processing-Time: 0.580

mbp:~ user$ curl -I https://www.domain.com

HTTP/1.1 200 OK

Server: nginx

Date: Mon, 14 Dec 2015 14:41:31 GMT

Content-Type: text/html; charset=UTF-8

Connection: keep-alive

Vary: Accept-Encoding

Set-Cookie: frontend=tnghb13jdn3klhffebpnvmruo1; expires=Wed, 13-Jan-2016 14:41:31 GMT; Max-Age=2592000; path=/

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Set-Cookie: frontend_cid=ld6irzeXL135A8Ml; expires=Wed, 13-Jan-2016 14:41:31 GMT; Max-Age=2592000; path=/; domain=www.domain.com; secure

X-Frame-Options: SAMEORIGIN

X-Config-By: LD

X-Frame-Options: SAMEORIGIN

X-Content-Type-Options: nosniff

X-XSS-Protection: 1; mode=block

X-UA-Compatible: IE=Edge,chrome=1

X-Processing-Time: 0.566

My iPhone Safari even is showing it in http://, no problem there. Chrome, Firefox... no problem, IE on Windows 10, no problem, Safari on Windows - no problem!!!!! What is going on here?

Well, we're coming up on almost two years since you first noticed this, and Apple is no closer to giving a flip about fixing it than they were back then, apparently 😠

I'm having the same problem with Safari utterly disregarding my bookmarks as entered, as well as direct entry of the URL. It seems once I visit any HTTPS page on my domain, Safari sees fit to ignore everything unsecured on that domain from that point forward.

I SHOULD NOT HAVE TO RESET MY BROWSER TO MAKE IT RESPECT MY BOOKMARKS AS ENTERED, APPLE!!! Stop trying to think FOR me and fix your broken software!

Have been suffering the same issue for a long time and now found my solution:

installed Firefox & imported my Safari booksmark

-> don't wait for Apple to change anyting, be happy again!

Have the same problem. Nothing helps 😢