Disabling HSTS for localhost on Chromium-based browsers

  • Gérald Barré

Http Strict Transport Security (HSTS) is a security mechanism that instructs the browser to automatically redirect http requests to https before sending a request to the server. When you are developing a web application, you should disable HSTS for localhost. This is because enabling HSTS on localhost has implications for other applications. For instance, some applications start a local web server and open a browser. However, they cannot use a certificate, so they cannot use https. If a website enables HSTS on localhost once, these applications won't work as they are not listening on https.

#Clearing HSTS policy manually

You can open the page about://net-internals/#hsts in the browser and clear HSTS data for localhost:

#Using another domain for development

HSTS is per domain. So, you can use another domain for development. For instance, you can use myapp.local instead of localhost. This way, even if the app is using HSTS, it won't affect other applications using localhost. To set up a domain, you need to edit the HOSTS file:

C:\Windows\System32\drivers\etc\hosts myapp.local

Then, you can use https://myapp.local in your browser.

Do you have a question or a suggestion about this post? Contact me!

Follow me:
Enjoy this blog?Buy Me A Coffee💖 Sponsor on GitHub