I have a website with Cloudflare that I needed to force “HTTP”
Recently chrome keep redirecting my website to HTTPS. TLD : net, buzz
And if I try to put https to http redirect code in my page it cause infinite redirect loop.
I tested it on static
txt file, basic htaccess, basic nginx/httpd settings to rule out any redirection issue from my server settings.
My website is not on the HSTS preload list, I have tried to disable cache/security, automatic https redirect and everything that could possibly cause the issue on my Cloudflare page rules.
Tried development mode.
I have check my server log and I found nothing useful.
I have flexible SSL option in Cloudflare and I do not have any setting for HTTPS on my server.
The only thing I found about this issue is
Request URL: hxxp://xxxcom/z.
Request Method: GET
Status Code: 307 Internal Redirect (from disk cache)
Referrer Policy: strict-origin-when-cross-origin
Location: hxxps://xxxcom/z. txt
I don’t quiet understand the above headers, does that mean chrome target all website with Cloudflare dns to be possible to load with HTTPS only?
Or is there anything I can do to fix this?
I have tried to change dns for my internet, I have also tried to use domain without Cloudflare, and this problem does not exist if my domain is not on Cloudflare.
May I ask have you tried using a different Web browser, or tried clearing your Web browser cache?
Today’s standards are quite good and secure. Unfortunately, there are some services which might require using insecure setup and a HTTP.
That’s also available for other Web browsers too nowadays, especially if you are using an option like “HTTPS-only”, from what it means you cannot open any HTTP website, only HTTPS.
They might do default HTTP to HTTPS redirection, or throw some warning, if so.
More about it can be read at the articles from below:
Here's how you can enable HTTPS-only mode in popular web browsers, including Chrome, Firefox, and Edge to access secure websites.
So you don’t haven an SSL certificate at your origin host, neither configured virtualhost file for any HTTP to HTTPS redirection?
Useful posts I’ve found and sharing here for some better insight and overview:
I am not sure if I fully understand your question.
If you have mentioned option disabled, all HTTP requests will still hit your origin via HTTP. It is then up to you what to do with that request and whether to redirect it to HTTPS or not. Cloudflare should not perform any redirects in that case.
The 307 is an internal redirect due to the HSTS header.
In which case, you may have users with your site on the HSTS list in their browser (from a previous visit), but clicking on old http URLs, but visiting you over HTTPS. It would be much easier to do a blanket HTTPS redirect in cloudflare, and redirecting (perhaps a second time) to the new canonical URL.
Also, your HSTS max age is too low to be preloaded, but you are issuing a preload command.
You don’t really need to worry too much about HSTS, unless you planned to move back to HTTP. The preload issue is only because you specified half a year, whereas
https://hstspreload.org requires a year.
The HSTS seems to be a Chrome peculiarity as that redirect does not show up in Firefox at all, but Firefox goes straight for HTTPS.
What I’d recommend is to have Cloudflare perform the HTTPS redirect and only have the redirect from the previous to the new URL structure on your side.
The redirect you are referring to is not a redirect in the first place as that is something the browser runs internally. Firefox for example doesn’t show it.
Try it with a different browser or reset your Chrome and the first request shouldn’t show a 307.
Fair enough, though the entire SEO panic regarding most things is exaggerated anyhow. It is not like a search engine will drop you because of a redirect. Firefox, for example, does not even show such a redirect but loads HTTPS straight away.
Make sure the
SSL/TLS option is set to Off rather than any other.
Furthermore, make sure you’re not using
Automatic HTTPS Rewrites, nor Always Use HTTPS, nor any other HTTPS related option as like HSTS preload and similar available at Cloudflare dashboard.
This tutorial covers getting SSL working with Cloudflare in various different scenarios.
This assumes you already have your website set up on Cloudflare with all your DNS records set to
, if not - please visit Step 1.
Do you want the website to use HTTPS?
YesDo you already have a valid SSL certificate installed on your server (i.e. does it already load over HTTPS with a )?
If your website already works over HTTPS, you can just set your SSL mode in Cloudflare to Full (strict)…
What about “Always Use HTTPS” in Edge Certificates? Is that on? If that’s on, proxied traffic will always redirect to HTTPS. As far as I can tell, it can’t be turned off via page rule, although if it’s turned off for the whole domain, it can be selectively turned back on via page rule.
Also have you tested using curl instead of a browser? Do
curl -I http://example.com/ to see the response & if it’s a redirect or not; if it is a redirect the headers will also give you hints about whether it was initiated by Cloudflare or your origin server. Curl also doesn’t honor HSTS or any other kind of automatic HTTPS switching (but it will follow redirects if you use the
It only happen for chrome browser, I have tried other major browsers they do not have this problem, this is why I suspect google targeted Cloudflare dns to make all the domain in Cloudflare only accessible via HTTPS, base on the header.
I don’t have SSL certificate at my origin host, and no configuration of HTTPS for my virtualhost files for several years now.
I mentioned I turned off everything in Cloudflare that could potentially cause the problem. I even create a page rule to point to that specific
txt file to turn off everything, still the same.
My Chrome is using secure connection set to off (default).
This is one of the example I found hxxpwww.elitescorthatunDOTcom/ad-category/antalya-escort/ , it is not my website but you can check if you want.
Always Use HTTPS is the first setting I look and its already turned off when I first checked.
Curl looks normal, the problem definitely only happen on chrome, and sites hosted with Cloudflare.
curl -I hxxp://d.
HTTP/1.1 200 OK
Date: Thu, 04 Aug 2022 16:49:16 GMT
Last-Modified: Thu, 04 Aug 2022 16:30:05 GMT
X-XSS-Protection: 1; mode=block
alt-svc: h3=“:443”; ma=86400, h3-29=“:443”; ma=86400
Chrome has gotten really aggressive about HTTPS upgrades and seems to try to upgrade as long as port 443 is open, even in circumstances when there’s not a valid SSL cert (kinda frustrating)
With proxied traffic, even if port 443 is closed on your server, port 443 is always going to be open on Cloudflare’s proxy so not much you can do about that
alt-svc: h3=“:443”; ma=86400, h3-29=“:443”; ma=86400 header might warrant further investigation
I wonder if stripping that out with a Transform Rule would change anything
HTTP Response Header Modification Rules · Cloudflare Rules docs
Also just to be absolutely certain you did search your domain on
https://hstspreload.org/ to make sure you’re not on the list, right? Even if you never submitted, if you had the necessary Strict-Transport-Security header set at some point, someone could have submitted the domain without your knowledge.
The 307 redirect is coming from your browser cache.
We are seeing the same thing with Chrome 104.
Chrome will sometimes decide to always redirect to https even though our primary use is http.
So I disabled CF proxy and the redirect problem stopped even though nothing had changed server side.
This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.