Chrome – How to Stop Persistent Redirect to HTTPS for HTTP Site

google-chromehttpsredirection

I'm building a site to replace an older site. The newer site currently is NOT HTTPS. However, the old site is HTTPS. I'm switching between the two sites by toggling an entry in my 'hosts' file.

I occasionally need to access the old site. When I do, it forcibly redirects to https://, but when I switch back to the new site, Chrome is then broken and will not let me get to http:// to the site but forcibly redirects to https:// which gives me the obvious "Privacy Error" warning and screws up a number of other things (it's WordPress, so it asks me to re-login, but I can't).

How the heck can I force Chrome to stop redirecting to https://? I tried chrome://net-internals/#hsts and I deleted the domain security policies for the site, but it seems to do absolutely nothing. Chrome still redirects. I also tried refreshing clearing cache – this doesn't work either.

Best Answer

I have been able to get around this by deleting the domain security policy for the domain:

Go to chrome://net-internals/#hsts
Go towards the end and enter your domain in this textbox and hit delete.

Delete domain security policies Input a domain name to delete its dynamic domain security policies (HSTS and Expect-CT). (You cannot delete preloaded entries.):

Domain: example.com

Related Solutions

Google-chrome – How to force Google Chrome to remember HTTPS credentials

If both Chrome installs are the same version, and yet are behaving differently, then there must me something messing it up at profile level.

I suggest creating a new profile from scratch, of copying your profile from the installation that does remember https credentials to the one that does not.

Creating a new profile is as easy as deleting (or renaming the folder) that contains the current one.

For guidelines on where Chrome stores its profiles, check http://www.chromium.org/user-experience/user-data-directory

PD: profile = user data directory

Word – Forcing HTTPS with .htaccess on site with WordPress in subfolder

I would argue you should put your new .htaccess file in public_html folder.

Try the following with mod_rewrite in your .htaccess file

RewriteEngine On
# This will enable the Rewrite capabilities
RewriteCond %{HTTPS} !=on
# This checks to make sure the connection is not already HTTPS
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
# This rule will redirect users from their original location, to the same location but using HTTPS.
# i.e.  http://www.example.com/foo/ to https://www.example.com/foo/
# The leading slash is made optional so that this will work either in httpd.conf or .htaccess context

These three lines also have to be added to the .htaccess file in the blog folder, modifying the RewriteRule to reflect that subfolder:

RewriteRule ^/?(.*) https://%{SERVER_NAME}/blog/$1 [R,L]

It might be also useful to apply mod_ssl to force SSL with the SSLRequireSSL Directive:

This directive forbids access unless HTTP over SSL (i.e. HTTPS) is enabled for the current connection. This is very handy inside the SSL-enabled virtual host or directories for defending against configuration errors that expose stuff that should be protected. When this directive is present all requests are denied which are not using SSL. Keep in mind that this will not do a redirect to https by itself.

Best Answer

Related Solutions

Google-chrome – How to force Google Chrome to remember HTTPS credentials

Word – Forcing HTTPS with .htaccess on site with WordPress in subfolder

Related Question