Safari Redirecting http to (non-existent) https

If the site has previously indicated to Safari that it wishes to always be accessed over HTTPS through HSTS (HTTP Strict Transport Security), then Safari will always try to redirect to HTTPS.

You can clear the HSTS cache by deleting ~/Library/Cookies/HSTS.plist.

Note that Safari does also cache 301 redirects for a while and thus clearing the normal Safari cache may also be necessary: from the Develop menu (enable in Preferences → Advanced), choose Empty Caches.

#For 2020...

In current MacOS, you must

  1. Clear the cache in Safari. (Developer menu.) Then immediately:
  2. Quit Safari, and any other apps that may use networking (quit all apps)
  3. Open /Users/ your user name /Library/Cookies which will look like:

enter image description here

  1. Throw HSTS.plist in the trash, then immediately restart the whole Mac.

In extreme cases, turn off all bandwidth to the Mac before steps 1-2-3-4.

In current MacOS, the HSTS list is immediately rebuilt if the file is thrown away, if any networking happens. Hence the Mac needs an immediate restart for trashing to work.


HSTS Policy is now included in Safari's stored website data, and you can remove localhost data to clear this issue.

  1. command + ,
  2. Privacy -> Manage Website Data...
  3. Search localhost
  4. Click Remove

Change https://localhost to http://localhost in your address bar and click return key.


Since December 2017, Google has added ".dev" TLD to the preloaded HSTS list for Chrome!

Safari uses the same list. So Safari will always add *.dev to HSTS list...

Seems many developers will need to change .dev suffix to another one :(

See: Chrome to force .dev domains to HTTPS via preloaded HSTS


I haven't found any working solution but for a workaround use 127.0.0.1 instead of localhost

http://localhost/

http://127.0.0.1/