Cannot use http://localhost:8080

http with localhost port 8080 is always rewritten as https

As a java/web developer I often run applications locally (on localhost) but cannot use the “http” protocol with localhost in brave since it always rewrites it as “https” and so I need to switch to chrome or firefox. While I could configure a certificate and https for the application it is quite some effort each time.

To reproduce:

  • Locally run a spring boot web application. (anything running locally and listening on an http port should work)
  • Paste or type http://localhost:8080 into the address bar

Expected result:
URL has been rewritten as https with a response:

This site can’t provide a secure connection
localhost sent an invalid response.
ERR_SSL_PROTOCOL_ERROR

Expected result:
Local webpage is displayed

Brave Version

Version 1.17.75 Chromium: 87.0.4280.88

Additional Information:
I have this on mac and windows. Chrome works fine, firefox also.

In developer tools in Brave I see a 307 status code. I’m pretty sure the Spring Boot app is not sending back a redirect to https (it is not configured for https)

From Developer Tools:
Request:
Request URL: http://localhost:8080/
Request Method: GET
Status Code: 307 Internal Redirect
Referrer Policy: strict-origin-when-cross-origin

Response:
HTTP/1.1 307 Internal Redirect
Location: https://localhost:8080/
Non-Authoritative-Reason: HSTS

I’ve searched and looked through all the settings in brave but can’t seem to find one that can help. I also disabled shields for localhost and tried allowing insecure content. No change.
Disabling all extensions did not help.

I found a solution for this.

I saw that a beta was available and so downloaded that. It worked.
I have been having this issue for a few months now and so didn’t think it was a version issue.

I reset all settings on Brave in my existing installation and it worked! So there must have been some setting causing it but I have no idea which. Also strange that I have the same issue on my (synced) windows installation as well. It is possibly fixed there as well, will check later.

Yes, because I tried http://localhost:8080 and I’m not redirected to https.

Normally by default any connection not https would get upgraded to https if able… Just uncheck the settings in shields…

Hi.
yes I already tried that one :slight_smile:

Ok I finally found out the problem (I still had the issue on my Windows installation).

The “Non-Authoritative-Reason: HSTS” gave me a clue.

The web app I work on uses HSTS (https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) and so when running it (with https) on localhost it sets the browser to use HSTS. Other apps then cannot use http on localhost!

This setting can be cleared by using the following link and entering localhost in the Delete domain security policies

brave://net-internals/#hsts

This works but the issue will probably return the next time I use localhost.

i will try to set it permanently with this (I guess brave has something similar). It may not work but I’m happy I understand the issue and can reset it :slight_smile:

AFAIK Brave uses HTTPS Everywhere’s lists, which means that the https redirect only works if the website is on the list.

Making it a “default” behavior is only possible with

  1. Firefox’s HTTPS-only mode
  2. using an extension such as Smart HTTPS

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.