When I try to visit certain sites and force http (for good reasons that do not need to be discussed here), Safari (macOS) forces the URL to use https – and since the site currently has no https support, I can't visit the site.
There are many answers that suggest that this is related to HSTS but this does not apply in my case:
The site in question is not listed in Safari's Privacy under WebSite Data nor does it appear in the HSTS.plist file. So, there is some other cause that forces Safari to use https, and I suspect it's from the fact that Safari has previously seen me visiting the site with https and now assumes I always want to do that.
Note that when I load the URL with wget, then I get the http version just fine. That should prove that it's Safari's behavior, not the web site's.
So, beside the HSTS settings what other settings might there be that force https in Safari on macOS?
Best Answer
I believe I have figured it out:
The site is an .app domain, e.g.
domain.app. And those sites are by definition https-only. See here.So, it's still HSTS related, but not on an individual site but for the entire ".app" TLD. And for that reason I could not find the specific domain name listed in HSTS, not would deleting the HSTS.plist help.
Well, not sure if I should keep this question up. Maybe it helps others that run into this.
Background: It was my own site. I moved it, along with others, to a new server, and need to verify that they work with plain http. So I tested every site in http, and all but this one worked. So I assumed something wrong with the browsers.
And not only Safari but also Firefox and Chrome want to do https only.
Strangely, though, using other way to request the http site, such as the low level command
wget, do not enforce the https requirement (they don't know about it, obviously), hence it misguided me into thinking the problem was a latent browser setting that I could fix.