Modern web browsers like Firefox, Chrome, and Edge are increasingly prioritizing secure connections by automatically upgrading HTTP URLs to HTTPS when possible. While this helps safeguard users against potential threats, it can become a nuisance in certain situations—particularly for web developers, network testers, or users needing access to older or local sites that don’t support HTTPS. Understanding how to stop this automatic redirection can save time and prevent connectivity issues.
Why Browsers Force HTTPS
Over the past few years, internet security has become a central concern for browser vendors. As a result, they’ve adopted features that automatically redirect users to the HTTPS version of a website if it’s available. This effort aims to:
- Improve user safety
- Encrypt data to prevent tampering and interception
- Encourage sites to adopt HTTPS for better trustworthiness
Unfortunately, these automatic upgrades can sometimes access outdated certificates, misconfigured servers, or simply block access to necessary non-secure resources. When this happens, users may need to override this behavior.
Disabling HTTP to HTTPS Redirection in Firefox
Firefox introduced a feature called HTTPS-Only Mode. When active, this setting tries HTTPS for all URLs first.
To disable it:
- Open Firefox and go to Settings.
- Select Privacy & Security from the menu.
- Scroll down to the HTTPS-Only Mode section.
- Select Don’t enable HTTPS-Only Mode.
Advanced users can also type about:config in the address bar and search for:
dom.security.https_only_mode- Set it to false.
This disables HTTPS-Only behavior entirely.
Stopping HTTPS Redirects in Chrome
Google Chrome uses something called the HSTS (HTTP Strict Transport Security) list, which can often force HTTPS even when not preferred. Here’s how to work around it:
- Type
chrome://net-internals/#hstsinto the address bar and press Enter. - Use the Delete domain security policies tool.
- Enter the site domain (e.g., example.com) you want to stop redirecting.
- Click Delete.
To stop Chrome from upgrading insecure URLs generally, users can run Chrome with command-line arguments to disable these mechanisms—but note this is mainly for testing environments. For example:
chrome.exe --disable-features=UpgradeInsecureRequests
Additionally, modifying browser flags may help:
- Go to
chrome://flags - Search for HTTPS-First Mode and disable it.
Disabling Forced HTTPS in Microsoft Edge
Since Edge is built on Chromium, the steps are quite similar to Chrome. However, there’s a specific setting for secure-only connections.
- Open
edge://settings/privacy - Scroll to Security.
- Find the option Automatically switch to more secure connections with HTTPS.
- Turn it Off.
For domain-specific control, the Edge version of net-internals can be used by navigating to:
edge://net-internals/#hsts
From there, delete entries for any domain forcing HTTPS against your preferences.
Additional Tips
- Clear your browser cache after making these changes to prevent cached redirects from persisting.
- Use developer tools (F12) to monitor redirect chains.
- For recurring local issues, consider hosting content on localhost using HTTPS via self-signed certificates.
FAQ
Q: Why does my browser keep forcing HTTPS?
A: Browsers like Chrome, Firefox, and Edge prioritize HTTPS for better security and privacy. They may remember previous redirects or use a site’s strict transport settings (HSTS) to enforce HTTPS.
Q: Can I disable HTTPS across all websites globally?
A: No. Browsers are designed to enforce HTTPS where possible. You can disable features like HTTPS-Only mode or edit security policies for specific sites, but a full global disable isn’t practical without compromising your online safety.
Q: How do I clear saved HTTPS redirects?
A: Use browser tools like Chrome’s or Edge’s net-internals to delete HSTS entries. In Firefox, disabling HTTPS-Only Mode usually solves it.
Q: Is there a plugin to control HTTPS redirection?
A: Some browser extensions like “Smart HTTPS” or “HTTPS Everywhere” (now integrated by default in many browsers) allow more fine-tuned control but aren’t always able to override built-in security features.
Q: Does disabling HTTPS affect cookies and login forms?
A: Yes. Using HTTP instead of HTTPS may cause websites to block login forms or restrict cookie use due to security policies. Always verify before disabling HTTPS selectively.