Http Strict Transport Security (HSTS) is a security mechanism that instructs the browser to automatically redirect http requests to https before sending a request to the server. When you are developing a web application, you should disable HSTS for localhost. This is because enabling HSTS on localhost has implications for other applications. For instance, some applications start a local web server and open a browser. However, they cannot use a certificate, so they cannot use
https. If a website enables HSTS on
localhost once, these applications won't work as they are not listening on
#Clearing HSTS policy manually
You can open the page
about://net-internals/#hsts in the browser and clear HSTS data for
#Using another domain for development
HSTS is per domain. So, you can use another domain for development. For instance, you can use
myapp.local instead of
localhost. This way, even if the app is using HSTS, it won't affect other applications using
localhost. To set up a domain, you need to edit the HOSTS file:
Then, you can use
https://myapp.local in your browser.
Do you have a question or a suggestion about this post? Contact me!