HTTP upgrade happening for all sites even with option disabled

I have the option “Upgrade connections to HTTPS” turned off, but the browser still keeps changing all http url’s to https. We have a good number of http only url’s internally that I’m not able to use from Brave. Is this a known problem?

I’m using Version 1.25.68 Chromium: 91.0.4472.77 (Official Build) (64-bit) on Ubuntu Linux.

I tried to reproduce this but I wasn’t able to.

I used which does not redirect to HTTPS but which is on the HTTPS Everywhere list:

  1. Load using default settings.
  2. Confirm you end up on (HTTPS).
  3. Disable Upgrade connections to HTTPS toggle in brave://settings/shields.
  4. Load in a new tab.
  5. Confirm that you stay on (HTTP).

I obviously can’t test your internal sites, but maybe those servers are configured differently?

Thanks for the fast response. I tried your test and it behaves correctly. So now I’m wondering what’s different about our internal servers. When I open them in a private window they do not change from http to https. Is there some information I could read to find out what might be triggering Brave to try to convert them to https?

That’s really strange. All I can think of is that somehow the browser cached the (internal) redirect from HTTP to HTTPS. You could try clearing the browser cache.

In terms of server config, you could share the output of these commands for your server (using the correct URL instead of

$ curl --head
HTTP/1.1 200 OK
Connection: Keep-Alive
X-Powered-By: PHP/5.6.40
Set-Cookie: PHPSESSID=d3f787f189d7fa404f571c4a60bf48ea; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
X-Cache-Enabled: True
Set-Cookie: wpSGCacheBypass=0; expires=Fri, 04-Jun-2021 18:15:36 GMT; Max-Age=-3600; path=/
Content-Type: text/html; charset=UTF-8
Link: <>; rel=""
Date: Fri, 04 Jun 2021 19:15:36 GMT
Server: LiteSpeed
X-Powered-By: PleskLin

$ curl --head
HTTP/2 200 
x-powered-by: PHP/5.6.40
x-powered-by: PleskLin
set-cookie: PHPSESSID=c272d5ee9f7b0c0f77ae8af3f7850e3f; path=/; secure
set-cookie: wpSGCacheBypass=0; expires=Fri, 04-Jun-2021 18:15:52 GMT; Max-Age=-3600; path=/; secure
expires: Thu, 19 Nov 1981 08:52:00 GMT
cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
pragma: no-cache
x-cache-enabled: True
content-type: text/html; charset=UTF-8
link: <>; rel=""
date: Fri, 04 Jun 2021 19:15:52 GMT
server: LiteSpeed
alt-svc: quic=":443"; ma=2592000; v="43,46", h3-Q043=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-25=":443"; ma=2592000, h3-27=":443"; ma=2592000

and removing any sensitive info that you don’t want to share (e.g. the URL, any cookie headers).


Now I feel foolish. I should have tried that first. I cleared the browser cache and now it’s working. Thanks for the help!

1 Like

This topic was automatically closed after 29 hours. New replies are no longer allowed.