Disable website redirection to HTTPS on Chrome

Learn disable website redirection to https on chrome with practical examples, diagrams, and best practices. Covers google-chrome, http, http-redirect development techniques with visual explanations.
Tags:
Categories:

Disabling Automatic HTTPS Redirection in Google Chrome

A Chrome browser window showing an HTTP website, with a padlock icon crossed out, symbolizing a non-secure connection. A small warning sign is visible next to the URL bar. The background is a blurred network diagram.

Learn how to prevent Google Chrome from automatically redirecting HTTP requests to HTTPS, a common challenge for local development and specific network configurations.

Google Chrome, like many modern browsers, prioritizes secure connections. This often means it will automatically attempt to upgrade HTTP requests to HTTPS, even if you explicitly type http:// in the address bar. While this behavior is beneficial for general web browsing security, it can be problematic for developers working with local HTTP servers, legacy systems, or specific network environments where HTTPS is not available or desired. This article will guide you through various methods to temporarily or permanently disable this automatic redirection in Chrome.

Understanding Chrome's HTTPS Redirection Mechanisms

Chrome employs several mechanisms that contribute to its aggressive HTTPS redirection behavior. Understanding these is key to effectively bypassing them:

  1. HSTS (HTTP Strict Transport Security): This is a web security policy mechanism that helps to protect websites against protocol downgrade attacks and cookie hijacking. If a website sends an HSTS header, Chrome will remember for a specified duration to only connect to that site using HTTPS, even if you try to navigate via HTTP.
  2. HTTPS-First Mode: Introduced in Chrome 90, this mode attempts to upgrade all navigations to HTTPS. If a site doesn't support HTTPS, Chrome will show a full-page warning before allowing you to proceed to the HTTP version.
  3. Internal Redirects/Assumptions: Chrome often makes assumptions about common domains and may attempt HTTPS by default, even without explicit HSTS headers, especially for well-known sites.

Method 1: Bypassing HSTS for Specific Domains

HSTS is a persistent setting. Once Chrome sees an HSTS header for a domain, it will enforce HTTPS for that domain for the duration specified by the website. To bypass this for a specific site, you need to clear Chrome's stored HSTS data for that domain.

1. Open Chrome's HSTS Settings

In your Chrome browser, navigate to chrome://net-internals/#hsts. This page allows you to view and delete HSTS entries.

2. Query Domain Status (Optional)

In the 'Query HSTS/PKP domain' section, enter the domain you're having issues with (e.g., example.com) and click 'Query'. This will show you if HSTS is currently active for that domain and its settings.

3. Delete Domain Security Policies

In the 'Delete domain security policies' section, enter the exact domain name (e.g., example.com) and click 'Delete'. This will remove any HSTS or Public Key Pinning (PKP) policies Chrome has stored for that domain.

4. Clear Browser Cache and Cookies

After deleting the HSTS policy, it's often necessary to clear your browser's cache and cookies for that specific site to ensure all old data is removed. You can do this via Chrome's settings or by right-clicking on the page, selecting 'Inspect', going to the 'Application' tab, and clearing 'Storage'.

A screenshot of Chrome's chrome://net-internals/#hsts page, highlighting the 'Delete domain security policies' section with an input field for the domain and a 'Delete' button.

Deleting HSTS policies for a specific domain in Chrome.

Method 2: Disabling HTTPS-First Mode (Chrome 90+)

For Chrome versions 90 and above, the HTTPS-First Mode can be a primary reason for unwanted redirects. This mode attempts to upgrade all navigations to HTTPS by default. You can disable this feature through Chrome's settings.

1. Access Chrome Settings

Open Chrome and go to chrome://settings/security.

2. Locate Security Section

Scroll down to the 'Advanced' section within the Security settings.

3. Toggle HTTPS-First Mode

Find the option 'Always use secure connections' (or 'HTTPS-First Mode' in older versions) and toggle it OFF. This will prevent Chrome from automatically upgrading HTTP requests to HTTPS.

A screenshot of Chrome's security settings page, with the 'Always use secure connections' toggle highlighted in the 'Advanced' section, showing it in the 'off' position.

Disabling 'Always use secure connections' in Chrome settings.

Method 3: Using Command-Line Flags (Advanced)

For more persistent or programmatic control, you can launch Chrome with specific command-line flags. This method is particularly useful for developers or automated testing environments.

google-chrome --args --disable-features=SSLCommonNameMismatchHandling,SSLv3Fallback,RequireCT,StrictSecureContexts,BlockInsecurePrivateNetworkRequests

Example command to launch Chrome with various security features disabled.

While there isn't a single flag to disable all HTTPS redirection, flags like --allow-running-insecure-content can help with mixed content warnings, and --ignore-certificate-errors can bypass certificate validation, which might indirectly help in some local development scenarios where self-signed certificates are used. However, these are generally not recommended for general browsing.

While less recommended due to potential security implications and reliance on third-party code, some browser extensions claim to manage or disable HTTPS redirection. Exercise extreme caution when installing such extensions, as they require significant permissions and could introduce new security vulnerabilities.

In conclusion, while Chrome's default behavior of prioritizing HTTPS is a crucial security feature, there are legitimate reasons to temporarily or selectively disable it. The HSTS bypass and disabling HTTPS-First Mode are the most common and effective methods for managing this behavior for specific sites or general browsing, respectively. Always remember to re-enable security features or clear HSTS policies once your specific task is complete to maintain a secure browsing experience.