Jan 31, 2021

Safari is automatically redirecting to an HTTPS site that does not exist

Overview

When I entered the URLhttp://localhost:1313 into the Safari web browser, it automatically redirected the request to https://localhost:1313. No amount of manually retyping http or cache clearing resolved the problem. After a bit of research, I determined the problem is caused by the HTTP Strict Transport Security cache. HSTS forces web browsers to only connect to a domain over the secure https protocol.

In this example http://localhost:1313 is my Hugo development server. It never used HSTS https, I am unsure why it Safari thought it was. This post details the steps necessary to clear the HSTS cache to allow unencrypted http connections again.

Details

When the following URL is entered into Safari:

Image of Safari URL bar with http://localhost:1313 entered

Safari automatically redirects to the non-existent HTTPS site:

Image of Safari web browser with https://loalhost:1313 in the URL bar because of automatic redirection

Since the Hugo webserver does not speak https the page would fail with the following error:

Image of Safari web browser displaying the error, can not establish a secure connection to the server

The problem is caused by an improper HSTS cache entry. This issue is resolved by opening the Safari settings by pressing command + , and selecting Privacy -> Manage Website Data...:

Image of Safari settings with the Manage Website Data button

In the settings menu, search for the site improperly redirecting to https, in my example this is localhost and 127.0.0.1. Delete all matching entries:

Image of Safari site cache settings

The page will now load without redirecting to the https page: