Disable forcing HTTPS

Description of the issue:
I cannot run localhost for dev as it always gets upgraded to HTTPS. It only works in incognito, where the upgrade is not forced, however, that really isn’t a good experience.

Related Brave settings:

  • brave://settings/security → Always use secure connections: off
  • brave://flags → Use HTTPS by Default: Disabled
  • brave://flags → Allow invalid certificates for resources loaded from localhost: Enabled

brave://flags → HTTPS Upgrades: Disabled

Steps to Reproduce:

  1. Run a local server on localhost with port XXXX
  2. go to http://localhost:XXXX

Actual Result:
Upgraded to HTTPS

Expected result:
No upgrade to HTTPS

Brave Version:
Version 1.61.116 Chromium: 120.0.6099.217 (Official Build) (64-bit)

Operating system information:
Edition: Windows 11 Home
Version: 23H2
Installed on: 10-‎Nov-‎23
OS build: 22631.3007
Experience: Windows Feature Experience Pack 1000.22681.1000.0

@JanSuran,
Did you try it after disabling HTTPS upgrades in Shields as well?

Uhm, I saw in some related post there should be the option for that, however, I cannot really find it.

@JanSuran,
Visit localhost:XXXX, click the Shields icon in the address bar and change the HTTPS option to Don't upgrade to HTTPS connections.

Oh, thanks for this information. Well, I cannot really find the option to turn it off :thinking: and this did not work when typing http://localhost:2222 manually.

Hmm thanks for testing. Fyi, if you toggle Shields “on” and expand to the advanced controls, you get more granular Shields settings:

Let me take a closer look at what other options you have here — seems like one/all of these options should have done what you need.

Still no change, sadly.

@JanSuran,
Yes I assumed that the advanced option would not work if it didn’t work after disabling Shields entirely — just wanted to show you where the option was/that you can expand that menu. Hope to have more information for you soon.

1 Like

@Mattches any idea why theirs is different? Thought most or all Desktop would have same settings. Screenshot of my same window of Shields settings is below:

Kind of weird that second down for mine is about HTTPS but theirs is Block Scripts.

Actually I’m a bit surprised, because I think this option was there on my previous laptop. I can check.

Hmmm I’m…actually not sure either? Will have to look into that as well.


Version 1.60.114 Chromium: 119.0.6045.124 (Official Build) (64-bit)

Edition Windows 11 Education
Version 22H2
Installed on 02.‎10.‎2022
OS build 22621.2283
Experience Windows Feature Experience Pack 1000.22662.1000.0

So this is my other laptop where it looks fine:

Actually I think the flag that you flipped is why it’s not appearing in default shields settings. So go back to brave://flags and change the #https-by-default flat to Enabled and the option will appear in Settings --> Shields again.

1 Like

Oh, that’s right, but it still forces HTTPS if I disable “Upgrade connection to HTTPS”.

Yes — again, just solving one mystery at a time!

Can you please try the following?

  1. Attempt again to go to localhost and when you see the error message, go ahead and click the “tune” icon (image)) in the address bar, then click where it says Connection is secure (or Insecure), then View certificate and share as screenshot of the resulting window?
  2. Can you also please go to brave://net-internals/#hsts and, in the Query HSTS/PKP domain section, type in localhost and click Query and tell me what appears when it’s run?

Thank you

Well, I can’t really see the icon… and this link redirects me to https://support.brave.com/hc/en-us/articles/360018185871-How-do-I-check-if-a-site-s-connection-is-secure-

The icon is there, only if the site is secure it looks like:
image

Thanks for checking. Let me know what you find after performing #2 above as well.

Found:
static_sts_domain:
static_upgrade_mode: UNKNOWN
static_sts_include_subdomains:
static_sts_observed:
static_pkp_domain:
static_pkp_include_subdomains:
static_pkp_observed:
static_spki_hashes:
dynamic_sts_domain: localhost
dynamic_upgrade_mode: FORCE_HTTPS
dynamic_sts_include_subdomains: true
dynamic_sts_observed: 1703465950.686705
dynamic_sts_expiry: 1735001950.686703
static_sts_domain:
static_upgrade_mode: UNKNOWN
static_sts_include_subdomains:
static_sts_observed:
static_pkp_domain:
static_pkp_include_subdomains:
static_pkp_observed:
static_spki_hashes:
dynamic_sts_domain: localhost
dynamic_upgrade_mode: FORCE_HTTPS
dynamic_sts_include_subdomains: true
dynamic_sts_observed: 1703465950.686705
dynamic_sts_expiry: 1735001950.686703
static_sts_domain:
static_upgrade_mode: UNKNOWN
static_sts_include_subdomains:
static_sts_observed:
static_pkp_domain:
static_pkp_include_subdomains:
static_pkp_observed:
static_spki_hashes:
dynamic_sts_domain: localhost
dynamic_upgrade_mode: FORCE_HTTPS
dynamic_sts_include_subdomains: true
dynamic_sts_observed: 1703465950.686705
dynamic_sts_expiry: 1735001950.686703

@JanSuran,
On that same page (brave://net-internals/#hsts), in the Delete domain security policies, enter localhost in the Domain field and click Delete. Relaunch the browser and test again and let me know if this resolves the issue.

Thank you

1 Like