Why Certain Domains Are Forced To Open As HTTPS in Some Browsers

September 24, 2021

Recently, I set up a development environment server and I wanted to access it via a test domain I added in /etc/hosts file which I mapped to localhost. The domain was test.dev. While using curl to test server response worked, entering the domain in Google Chrome browser would produce This site can’t be reached message: This site can’t be reached

It turns out that Chrome was redirecting to https and because my server wasn’t listening on port 443 I received the error. It was surprising because accessing the server on localhost doesn’t result in redirect to https. In addition when I added test.com to the /etc/hosts file no redirection occurred as well. Accessing test.dev in Firefox resulted in the same behavior however accessing it in Brave browser did not result in redirect to https. After some digging into this I found that:

  1. .dev TLD was bought by Google.
  2. Chromium codebase which Google Chrome is based on has a file transport_security_state_static.json which specifies several TLDs where mode is force-https. The list includes .dev.

Therefore, any .dev domain will be redirected to https in Chrome. According to Wikipedia the list of browsers which have a list of TLDs which are forced to load via https includes Firefox and Edge as well.