Skip to content
This repository has been archived by the owner on Jul 15, 2022. It is now read-only.
This repository has been archived by the owner on Jul 15, 2022. It is now read-only.

macOS: localhost added to HSTS list which forces a redirect from http to https everytime localhost is used #3

Open
joaomvfsantos opened this issue Jul 8, 2020 · 4 comments
Open

macOS: localhost added to HSTS list which forces a redirect from http to https everytime localhost is used #3

joaomvfsantos opened this issue Jul 8, 2020 · 4 comments

Comments

@joaomvfsantos
Copy link

After running site and generating the root certificates the localhost domain was added to the ~/Library/Cookies/HSTS.plist file which forces then the OS to always use https on localhost, even when site.js is not running.

My solution was to:

  1. Kill nsurlstoraged service
$ sudo killall nsurlstoraged
  1. Remove the HSTS.plist file (via terminal or via finder directly)
$ rm -f ~/Library/Cookies/HSTS.plist
  1. Restart the nsurlstoraged service
$ launchctl start /System/Library/LaunchAgents/com.apple.nsurlstoraged.plist
@adrianshort
Copy link

If you're running macOS Mojave (10.14) or Catalina (10.15) you need to enable full disk access for your Terminal app before the instructions above will work.

  1. Open Security and Privacy in System Preferences.
  2. Go to the Privacy tab.
  3. Click the lock in the bottom left corner to authenticate.
  4. Select Full Disk Access from the list on the left.
  5. Add and select your Terminal app in the list on the right.

@aral
Copy link
Contributor

aral commented Aug 6, 2020

@joaomvfsantos Thank you for writing this up and sharing the workaround and @adrianshort thank you for the macOS-specific prerequisites; appreciate it :)

This is due to Site.js using Helmet for localhost servers as well as for servers at hostname and HTTP Strict Transport Security (HSTS) is enabled by default in the current version. The next version, which I’m going to take a look into seems to take a piecemeal approach from the start.

Disabling HSTS for localhost servers should be a good idea.

In fact, unless I’m missing something, I’m not actually sure we should even be using Helmet at all for localhost servers…

@aral aral mentioned this issue Dec 28, 2020
Closed
@Fil
Copy link

Fil commented Jan 1, 2021

Was just bitten by this after testing site.js, all the localhost:8008 dev URLs (for other projects) stopped working.

On top of @joaomvfsantos and @adrianshort 's solution, I also had to clear Chrome's memory of the setting. To do this went to chrome://net-internals/#hsts, and in the "delete" section typed "localhost". 😅

@aronfiechter
Copy link

aronfiechter commented Feb 10, 2022
edited
Loading

I started using site today and I'm really liking it, but this issue is kind of annoying.
After developing a bit my site website (which will be my personal website), I have to clear the https setting, otherwise I cannot work on work-related projects that I need to run on various localhost:3000 etc. while developing.
Is there a way to develop with site that doesn't change this setting for localhost?

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@Fil @aral @adrianshort @joaomvfsantos @aronfiechter