After I have activated the helmet module, the browser stops to display on http://localhost:3000/
and other ports of the localhost:
If more exactly, when open http://localhost:3000/
, the browser automatically redirects to https://localhost:3000/
. Also, if manually correct https://localhost:3000/
to http://localhost:3000/
, the browser will return to https://localhost:3000/
. But most important fact is the browser keep this behavior for all projects, not only for one when the HTTPS protocol support and actually enabled and helmet module used. It is problematic to provide the HTTPS support for all projects in local development mode.
I understand that this behavior is for security when surfing the internet, but it is the interfering behavior when locally developing something when helmet module and HTTPS not using (actually, it is impossible to use same browser).
Helmet maintainer here.
You can fix this by clearing your browser's HSTS cache. See this guide.
This is happening because Helmet sets the Strict-Transport-Security
header, abbreviated to "HSTS". HSTS hooks your browser on HTTPS for a period of time, typically a year or more. For example, if you visit https://example.com
which sets the Strict-Transport-Security
header, later visiting http://example.com
will automatically redirect you.
Presumably, you visited https://localhost:3000
with HSTS at some point. This means that visiting http://localhost:3000
will automatically be redirected. Clearing your HSTS will reset this, allowing you to visit the insecure HTTP URL again.