Stop brave from redirecting http://localhost to https://localhost

Brave is redirecting http://localhost to https://localhost.

I am a developer that needs to be able to host sites on http://localhost.

I have disabled “Upgrade connections to HTTPS” in shields and added localhost in the “Allowed to show insecure content” list. the setting “Always use secure connections” is also disabled.

how can I make this work?

I am at the point where I can’t use brave anymore. I need to uninstall it and use another browser.

We use https everywhere rules, you could just disable https everywhere globally or for localhost?

where do I disable it everywhere?

thanks for the reply

Hi

@trekco

Enter brave://settings/shields in URL bar and disable Upgrade connections to HTTPS

@CerealLover I don’t want to be rude but did you read my post?

I already mentioned that it is disabled

@fanboynz

UPDATED 20220620 Monday

I was mistaken re what @fmarier refers to, when I wrote earlier:

@fmarier refers to ‘HTTPS Everywhere’ as ‘HTTPS Only’ - if I am not mistaken - and I have not managed (so far) to locate where the ‘rules’ that you [@fanboynz] mention, may be adjusted (as @trekco has wondered).

The following terms are NOT the same thing:

  • HTTPS Everywhere
  • HTTPS Only

I also mistakenly thought I had found the ‘HTTPS Everywhere’ toggle switch, when actually, I had found the ‘HTTPS Only’ toggle switch: ‘Always use secure connections’ - that is illustrated in the second screenshot supplied by @trekco herein.

See the next post by @fmarier that follows . . .

There are three things I can think of that will upgrade top-level HTTP URLs to HTTPS:

  1. HTTPS Everywhere: This is based on a list of rules and so it wouldn’t cover localhost. Also, it’s covered by the Upgrade connections to HTTPS toggle in the Shields settings.
  2. “HTTPS only” mode: This upgrades all HTTP URLs to HTTPS, no rules required. This is controlled by the Always use secure connections toggle in the Security settings.
  3. HTTP Strict Transport Security (HSTS): This is a response header that a site can supply which will tell the browser that future visits need to be over HTTPS. This is controlled by the site and will be remembered by the browser. It can be cleared via brave://settings/clearBrowserData (I think it’s the Cookies and other site data option) or via brave://net-internals/#hsts.

My guess is that you’re looking at #3 and that you’ve had in the past a locally-running web service that returned an HSTS header with a very long expiry time.

1 Like

@trekco

Maybe test Enable / Disable for: