There are three things I can think of that will upgrade top-level HTTP URLs to HTTPS:
- HTTPS Everywhere: This is based on a list of rules and so it wouldn’t cover
localhost
. Also, it’s covered by the Upgrade connections to HTTPS toggle in the Shields settings. - “HTTPS only” mode: This upgrades all HTTP URLs to HTTPS, no rules required. This is controlled by the Always use secure connections toggle in the Security settings.
- HTTP Strict Transport Security (HSTS): This is a response header that a site can supply which will tell the browser that future visits need to be over HTTPS. This is controlled by the site and will be remembered by the browser. It can be cleared via
brave://settings/clearBrowserData
(I think it’s the Cookies and other site data option) or viabrave://net-internals/#hsts
.
My guess is that you’re looking at #3 and that you’ve had in the past a locally-running web service that returned an HSTS header with a very long expiry time.