Safari forcing HTTPS for some HTTP only sites

Streeme, did you manage to reset the history in Safari? Since the HSTS.plist is recreated after deleting it Safari has to save those entries somewhere else., otherwise the file would be empty after recreating it. If the current Safari has some issues with following the instructions for Strict Transport Security and a future version, e.g. in Yosemite, fixes those then you should be able to access the site without being redirected. I can't tell whether Safari is faulty and it's weird that other browsers work fine. Is the web server for your site sending an HSTS header? See the instructions I posted above to check.

Well, I have the same problem, and it drives me nuts!

I have a debian server running an apache 2 web server, hosting toto.mydomain.com, with http and https connections. Depending on the http or https address, 2 web sites are then displayed. BUT, safari still automatically redirects me to the https address. I have tested everything mentioned above, nothing works. I have even modified the web server response to set HSTS response to 0:

> curl -I https://toto.maydomain.com

HTTP/1.1 200 OK

Date: Sat, 29 Nov 2014 13:53:48 GMT

Server: Apache/2.2.22 (Debian)

X-Powered-By: PHP/5.4.35-0+deb7u2

Set-Cookie: 52152665cd64c=s5kjtuc3muhphhu5q8lq8ovvp4; path=/; HttpOnly

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Strict-Transport-Security: max-age=0

X-XSS-Protection: 1; mode=block

X-Content-Type-Options: nosniff

X-Frame-Options: Sameorigin

Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-src *; img-src *; font-src 'self' data:; media-src *

X-Robots-Tag: none

Vary: Accept-Encoding

Content-Type: text/html; charset=utf-8

But safari keeps redirecting me to the https version of the website.

I really don't understand what is happening.

But if I use a fresh new account on the system, this redirection does not occur any more, even if I visit the https version of the website.

So a cache, somewhere in the system, must be cleared. But which one? HSTS.plist removal has no effect here.

EDIT : the only solution I had not tried was to reboot the system after 1/ clearing the cache, 2/ deleting every entries for toto.mydomain.com from the history, and 3/ deleting HTST.plist. And ... it works now!

Doesn't that clear all your logins and stuff from every other site you have?

Apple come on!

Look here, I have changed it: https://www.dropbox.com/s/ny2vfqat6mtrnyz/Sk%C3%A4rmklipp%202015-06-10%2000.01.3 6.png?dl=0

And then right after it changes back: https://www.dropbox.com/s/akp8zphv2dykzjs/Sk%C3%A4rmklipp%202015-06-10%2000.02.4 7.png?dl=0

I can't force Safari to visit the http version by typing it in either....

EDIT: If I use the IP however, I can choose manually, and change the bookmark... very strange...

Sorry but this didn't solve the problem in my case.

OS X 10.11 El Capitán hasn't neither solved this annoying behavior.

Any other idea?, or do I have to continue using Chrome just for connecting to my intranet server...

Regards,

Francis Perea

I had the same problem ...

In safari i cleared all cookies and the entries in the history regarding the https site and quit safari. In /library/Cookies i deleted all files with "safari" in its name and the "HSTS.plist"

Started safari and everything is fine 🙂

So I have to say that I have had no luck when it comes to resetting Safari. I actually created a brand new local user account and tried it there, but it still switches to https. I figured that I have my server configured wrong using Strict Transport Security, however that is not the case. I did, but I removed the line in the nginx config file. when I do the curl -I thingy I get this:

mbp:~ user$ curl -I http://www.domain.com

HTTP/1.1 200 OK

Server: nginx

Date: Mon, 14 Dec 2015 14:40:40 GMT

Content-Type: text/html; charset=UTF-8

Connection: keep-alive

Vary: Accept-Encoding

Set-Cookie: frontend=j0il7j0lr16fb2inuj2hsf1i66; expires=Wed, 13-Jan-2016 14:40:39 GMT; Max-Age=2592000; path=/

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

X-Frame-Options: SAMEORIGIN

X-Config-By: LD

X-Frame-Options: SAMEORIGIN

X-Content-Type-Options: nosniff

X-XSS-Protection: 1; mode=block

X-UA-Compatible: IE=Edge,chrome=1

X-Processing-Time: 0.580

mbp:~ user$ curl -I https://www.domain.com

HTTP/1.1 200 OK

Server: nginx

Date: Mon, 14 Dec 2015 14:41:31 GMT

Content-Type: text/html; charset=UTF-8

Connection: keep-alive

Vary: Accept-Encoding

Set-Cookie: frontend=tnghb13jdn3klhffebpnvmruo1; expires=Wed, 13-Jan-2016 14:41:31 GMT; Max-Age=2592000; path=/

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Set-Cookie: frontend_cid=ld6irzeXL135A8Ml; expires=Wed, 13-Jan-2016 14:41:31 GMT; Max-Age=2592000; path=/; domain=www.domain.com; secure

X-Frame-Options: SAMEORIGIN

X-Config-By: LD

X-Frame-Options: SAMEORIGIN

X-Content-Type-Options: nosniff

X-XSS-Protection: 1; mode=block

X-UA-Compatible: IE=Edge,chrome=1

X-Processing-Time: 0.566

My iPhone Safari even is showing it in http://, no problem there. Chrome, Firefox... no problem, IE on Windows 10, no problem, Safari on Windows - no problem!!!!! What is going on here?

Well, we're coming up on almost two years since you first noticed this, and Apple is no closer to giving a flip about fixing it than they were back then, apparently 😠

I'm having the same problem with Safari utterly disregarding my bookmarks as entered, as well as direct entry of the URL. It seems once I visit any HTTPS page on my domain, Safari sees fit to ignore everything unsecured on that domain from that point forward.

I SHOULD NOT HAVE TO RESET MY BROWSER TO MAKE IT RESPECT MY BOOKMARKS AS ENTERED, APPLE!!! Stop trying to think FOR me and fix your broken software!

This fixes it in the latest safari (July 2016):

- Quit safari

- Edit this file : ~/Library/Cookies/HSTS.plist and remove the entry that is causing trouble, or if you're feeling bold delete the whole file (which contains 100s of entries for me), but be warned apple has this feature in place for your safety so editing preferred.

- DON'T reopen safari (it caches the file). Instead restart your mac.

Now it should work next time you open safari 🙂

It's pretty funny all the complaints about a broken Safari or something like that.

Hey guys, this works as designed. HSTS ensures that if a website provider wants to let browsers know that they only serve secure connections he can do that and the browser saves this for the defined time span. There is nothing you can do about this in the long term as long as the website provider sends HSTS headers. Of course you can delete regularly all HSTS caches in Safari. As you might know there is also a HSTS preload list maintained by Google which is hard coded into many browsers including Safari. If the domain is on that list you won't have any chance to connect to an unsecure HTTP connection.

The workaround that worked for me for localhost development was to:

* Temporarily set a really short Strict Transport expiration time in the web server.

In nginx

add_header Strict-Transport-Security "max-age=2; includeSubdomains;";

* Open up Safari to go to https://localhost ...

* Remove the Strict Transport directive and restart nginx.

* Open up Safari to go to http://localhost ...

Yep, this issue is screwing me around as well. For Mavricks and Safari 7.02. FF and Chrome are fine.

You're welcome. That's a weird issue and I hope one of you finds out what's the reason behind all this.

In Safari 8, "Clear History and Website Data...", quitting Safari, rm ~/Library/Cookies/HSTS.plist, and restarting Safari cleared this up for me...

Have been suffering the same issue for a long time and now found my solution:

installed Firefox & imported my Safari booksmark

-> don't wait for Apple to change anyting, be happy again!