Django says my development server doesn't support HTTPS, even though I've disabled it

Question

I've developed my own website on Django for a while, and today I started to learn how to deploy it. I added this to my settings.py:

SECURE_SSL_REDIRECT = True,

This caused the development server to stop working properly, with this error message:

[13/Jan/2018 16:56:49] code 400, message Bad request syntax ('\x16\x03\x01\x00À\x01\x00\x00¼\x03\x03ßà\x84¼+Jnßþn-ñ\x88ý©vAþK\x83¤²êT\x86\x0b.\x8em\x0b:â\x00\x00\x1cÚÚÀ+À/À,À0̨̩À\x13À\x14\x00\x9c\x00\x9d\x00/\x005\x00')
[13/Jan/2018 16:56:49] code 400, message Bad HTTP/0.9 request type ('\x16\x03\x01\x00À\x01\x00\x00¼\x03\x03\x87')
[13/Jan/2018 16:56:49] You're accessing the development server over HTTPS, but it only supports HTTP.

[13/Jan/2018 16:56:49] You're accessing the development server over HTTPS, but it only supports HTTP.

[13/Jan/2018 16:56:49] code 400, message Bad request version ('JJÀ+À/À,À0̨̩À\x13À\x14\x00\x9c\x00\x9d\x00/\x005\x00')
[13/Jan/2018 16:56:49] You're accessing the development server over HTTPS, but it only supports HTTP.

Why has my server stopped working properly?

Note that when I changed the setting back to SECURE_SSL_REDIRECT = False, the problem didn't go away.

Answer 1

You configured your django site to enforce https by setting SECURE_SSL_REDIRECT = True - which is very good idea for a production setup.

If you set the SECURE_SSL_REDIRECT setting to True, SecurityMiddleware will permanently (HTTP 301) redirect all HTTP connections to HTTPS.

For this reason (and also others) you usually have separate settings for development and produciton. There are a few things that nearly always differ.

Read this to get known to some approches on how to deal with it: Django: How to manage development and production settings?

NOTE

If your browser received 301 once from your site - changing the setting back might have no direct effect, as the browser cached the target URL and does not send a request on HTTP. You need to clear or disable your browsers cache in that case.

Answer 2

The browser has cached the http->https redirect from the previous request when it was working with SECURE_SSL_REDIRECT=True.

Turning it off server side will not effect that cached redirect.

You can selectively clear that for your dev server's url/ip (not everything in the browser cache) and get things working by:

1. Shutdown your Django dev server
2. Go to http://127.0.0.1:8000 - it will give you a 404
3. Open up Chrome's dev tools
4. Click and hold on the "Reload" button
5. Select: "Empty Cache & Hard Reload"
6. Restart Django dev server
7. Hit http://127.0.0.1:8000 again