Http Strict Transport Security (HSTS) is a security mechanism that instructs the browser to automatically redirect http requests to https before sending a request to the server. When you are developing a web application, you should disable HSTS for localhost. This is because enabling HSTS on localhost has implications for other applications. For instance, some applications start a local web server and open a browser. However, they cannot use a certificate, so they cannot use https. If a website enables HSTS on localhost once, these applications won't work as they are not listening on https.
#Clearing HSTS policy manually
You can open the page about://net-internals/#hsts in the browser and clear HSTS data for localhost:
#Using another domain for development
HSTS is per domain. So, you can use another domain for development. For instance, you can use myapp.local instead of localhost. This way, even if the app is using HSTS, it won't affect other applications using localhost. To set up a domain, you need to edit the HOSTS file:
C:\Windows\System32\drivers\etc\hosts
127.0.0.1 myapp.local
Then, you can use https://myapp.local in your browser.
Do you have a question or a suggestion about this post? Contact me!
