Customized Suzuki Intruder in French village
Photo: Copyright © 2014 Eelke Blok

High Sierra 10.3.2 forces local .dev sites to use HTTPS?

It looks like the version of Safari that comes with macOS High Sierra 10.13.2 now has the .dev domain added to its HSTS preload list. What this means is that if you run your development sites on a .dev top-level domain, like me, Safari will force it to use https. This is not due to some stunt Apple pulled, but because Google is the owner of the .dev TLD and has submitted it to HSTS preload.

Options to work around this include using https on your development system (this may be easy or may be hard, depending on your system) or move to a different TLD. The "blessed" TLD to use for this sort of thing is .test.

This is all still a bit speculative and unconfirmed, but a colleague who updated to macOS 13.2 ran into this head first. Switching to .test has solved the issue.

Update 9/12/2017: It seems Safari also refuses to open the site if it is running from the snakeoil certificate that comes at least with my Apache install, presumably because it is not secure enough. I'll be switching to the .test TLD, which apparently was devised for this purpose specifically.

Add new comment