Chrome http redirect insecure site - google-chrome

My site has a server-level redirect from HTTP to HTTPS, but Chrome shows "Site is note secure" warning before redirecting even though the user will never see the insecure site. This is a bad UX because the user has access to a secure site and Chrome is the one not checking if secure access / redirect is available. Most sites redirect from http to https but only some of them are blocked on Chrome. What is the reason for this? How can I fix this on my sites?
My site is https://theinfinitezero.com
But if I just put http://theinfinitezero.com
it gets blocked instead of redirecting.

Related

307 Internal Redirect Non-Authoritative-Reason: DNS

I search everywhere I found 0 information about this specific redirect.
I have app that I need to use "HTTP" to function, recently chrome started to redirect my app to HTTPS automatically, and If I put HTTPS to HTTP code in my app it cause infinite loop.
My app is not on the HSTS preload domain list, my app and server have no redirect code to HTTPS.
Request URL: http://4444.com/z.txt
Request Method: GET
Status Code: 307 Internal Redirect (from disk cache)
Referrer Policy: strict-origin-when-cross-origin
Cross-Origin-Resource-Policy: Cross-Origin
Location: https://4444.com/z.txt
Non-Authoritative-Reason: DNS
This does not happen on any other browser other than chrome.
Does that mean chrome is targeting my host's dns to make sure all website hosted on the DNS is HTTPS?
If yes I think this is very bad move from google as I can't find any announcement by google that they will start forcing https on websites. This could break many non https sites without prior warning.
If not what can I do to fix this issue?
Thanks
I encountered the same problem just like you, and that situation didn't happen all the time, sometimes when I open another window as incognito mode, the redirect disappeared!Sooooo Annoying:(
And I just tried another way, it seemed to work fine with me!
go to : chrome://net-internals/#dns, and click Clear host cache , then refresh your page, the redirect will be gone!
Even if the "Always use secure connections" (chrome://settings/security) is disabled, chrome will still try to use HTTPS if it finds HTTPS records in DNS, as per #dns-https-svcb flag - "Support for HTTPS records in DNS" (chrome://flags/#dns-https-svcb) - which is enabled by default.
This causes the loop leading to the ERR_TOO_MANY_REDIRECTS with Non-Authoritative-Reason: DNS.
Either remove any HTTPS record from the host zone file or disable the aforementioned flag from chrome.
Did you access websites using VPN? VPN server seems able to force http to https

Does WeChat in app browser supports self signed https url?

I have a web application in my local WAMP server, which is self signed SSL enabled. that made my app url as
https://myipaddress:port/demoapp/index.html
When I ping the above url in WeChat chat window and click on the link, it is not opening my demoapp home page but just blank page. When I paste same link as with http as http://myipaddress:port/demoapp/index.html. WeChat browser is opening my demoapp homepage without any issues?
Any clues how to open https urls from WeChat in app Browser?
Yes WeChat in app browser is not allowing Self Signed certificates unlike Chrome, where it will ask whether to Trust or Block. I tried placing my demoapp in a server, which has valid DigiCert SHA2 CA certificate and it is working in WeChat.

Google Chrome mixed-content error on HTTPS

I enabled SSL on my website which is hosted on Blogspot with a custom domain and I encounter this error in console which asks me to Load Unsafe Scripts on the address bar.
What I see in Inspect Element:
This has nothing to do with IPv4. The error just says that, while your page was served over https, it's trying to load an external script via http, which Chrome doesn't allow. You must modify your page to load all resources over https.

Why does the href="http://...." direct me to "https://..."?

Alright, this is the case:
I have a website. When not logged in, it is a http connection.
On my homepage I have a link to another site:
www.somesite.com
So far so good, when pressing the link it goes to the site.
But when I log in to my website, I have a secured connection (https).
Now, when I press the same link, it opens https://www.somesite.com although I have the link hardcoded as http in my code. And the somesite.com does not provide a https connection, so the browser is complaining.
How is this possible and how do I get the browser to just follow the hardcoded url?
Many websites support a non-secured (http) connection up to the point of user authentication. At that point, many sites will redirect to a secured (https) authentication mechanism and conduct all subsequent communication with the authenticated user over https.
The site you are accessing is being redirected by the server to the secure connection. That is why when you access the site via your link via http, the server redirects you to the secure site. If you are familiar with the dev tools in your browser, you can probably follow a network trace of the exchange between you and your site and see the redirect at some point in the communication exchange.

Detect Redirect Loop in nginx because Browser Caching of 301 and HSTS

In our current site all our http traffic is redirected to https using permanent redirects(301).
Now I want to redirect all https traffic to http and for some pages(like checkout, login) it will be http to https
I have done the configurations in nginx, and they work fine (tested with adding entry to /etc/hosts) only when browser cache is cleaned.
Since browser caches all the redirects and it is not possible to tell users to clean browser cache, I am exploring of ways to do this project.
What is happening is when I hit http version it gets redirected to https version due to browser caching. Since, in my configuration I have redirected to http version, the request gets redirected to http and redirections enter infinite loop.
The ways I can think of are:
Some how nginx detects that there is a second time request to https and serves him https content insted of redirecting to http. I know this is against the principle of http, but I was wondering if it is possible. Please let me know if it is possible this way. I will be serving both https and http to a browser but when cache is cleared eventually it will work fine with no further changes required.
If I change A record of DNS, will it cause the browser cache to be clean. If that happens I will go for it.
I keep both http and https versions for a while with no redirects and after one month or so, do the redirections.