CSP is a technique designed to impair xss-attacks. That is, it is most useful in combination with serving hypermedia that relies on other resources being loaded with it. That is not exactly a scenario I would expect with an API. That is not to say you cannot use it. If there really is no interactive … Read more
It’s not a problem with Apache, but with the fact that Rails sends an HSTS header. In Chrome, you can clear the HSTS state by going into about:net-internals, as described in ImperialViolet: HSTS UI in Chrome. You may also have to clear the cache, since config.force_ssl = true also uses a 301 (permanent) redirection. In … Read more
You can type thisisunsafe anywhere on the Google Chrome warning page and it will load it without warning. No joke.
I was able to solve this based on an answer from Ask Different. In short, closing Safari, then running the commands below, worked. sudo killall nsurlstoraged rm -f ~/Library/Cookies/HSTS.plist launchctl start /System/Library/LaunchAgents/com.apple.nsurlstoraged.plist Restarting Safari after running that and trying to go to http://localhost:3000 solved the problem and did not redirect to to https. Hopefully this … Read more
You can follow the solution here. When Google Chrome keeps redirecting your localhost Url from http://localhost to https://localhost, do the following: Open the Developer Tools panel (CTRL+SHIFT+I) Click and hold the reload icon A menu will open Choose the 3rd option from this menu (“Empty Cache and Hard Reload”)
The server you are trying to connect with uses strict-transport-security (HSTS) to ensure https only is used with this site rather than the default http. This means if you enter http://www.servername.com then Chrome will automatically convert this to https://www.servername.com. This is a security feature to prevent use of http, which is unencrypted and which can … Read more
Navigate to chrome://flags/#allow-insecure-localhost and set this to enabled.