I have a variety of sites under development staged using subdomains of a single domain (e.g., this.example.com
, that.example.com
, etc.). Some implement SSL; some don’t. This is fine – they’re all works in progress not accessible outside my LAN.
The problem is that Safari remembers its HSTS policy for an entire domain, not per subdomain. Once it loads https://this.example.com
, it refuses not only to load http://thissub.example.com
, but also http://that.example.com
. Removing the local data for the parent domain under “Safari > Settings > Privacy > Manage Website Data” works until various changes between http and https are remembered, at which point it once against rejects all http connections.
The constant nannying means it’s not feasible to analyze the developing sites using Safari, which is particularly annoying since that’s the target browser for all of them. Older suggestions (e.g., delete ~/Library/Cookies/HSTS.plist
) aren’t applicable to Safari 18. Is there some way to force it to stop mothering me?