Did Not Connect: Potential Security Issue
Not able to continue visiting my local development website. Because browsers are blocking the site and common problem is HSTS. Unable to figure out what's gone wrong.
Recently I setup new system for web development. Everything was working well since I setup new machine. Sudden today everything got freeze and I feeling like prisoner.
Firefox and Google Chrome was blocked site last week, still my work was continuing because Firefox Development Edition was holding my back. And was also exploring to fix that issue. But today it is got over. So, I finally on fixing this.
Only difference between two machine is OS and Web Server. On old machine (macOS) I was using Apache, but Nginx is on my new machine (Ubuntu).
Our live production domain is https://www.peoplematters.in and we do development using https://dev.peoplematters.in.
For local development I'm using self signed certificate.
In some cases browser's allow to add security exception. But in this HSTS case it is not allowing. I've not configured HSTS header for local development version. So, why it's showing!!!
Because it is configured it on the top level domain with include sub domains: https://securityheaders.com/?q=https%3A%2F%2Fpeoplematters.in&hide=on:
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
I would guess at some point you visited the top level domain (instead of just the www version) so picked up this policy.
Additionally, because this header has preload in it, it may soon be preloaded into web browsers code.meaning it wil be impossible to turn this off and you’ll have to get used to setting up your certificates properly in your dev envs (by either trusting your self-signed certs or by using other certs recognised by the browser).