How can I enable HTTP in Safari settings

I had exactly the same issue.

I managed to solve it by switching off “Not Secure Connection Warning” in Safari settings.

Settings App > Safari > Scroll to the Privacy & Security section > toggle off Not Secure Connection Warning

Hope this helps :-)

lkrupp wrote:

It means of course that the website you are trying to access is insecure and not protected in any way from malware, hacking, and remote intrusions. It’s likely very dangerous to try and load that URL.

No, that is not what it means at all. It means that your connection to that website is not encrypted. That is all. On a website that only serves static content that is not personally sensitive, this has no security implications at all, because such as site wouldn't be vulnerable to malware or hacking anyway. But obviously if you are sending password, credit card numbers, any personal data of any kind to the site, then you would want that data encrypted.

Conversely, a site having the most highly-verified SSL certificate ONLY assures you that your connection to it is encrypted. It does not tell you that they don't have an open telnet port giving all and sundry access to their inner mcgubbins.

It means of course that the website you are trying to access is insecure and not protected in any way from malware, hacking, and remote intrusions. It’s likely very dangerous to try and load that URL.

If you insist go to Safari->Settings->Security and turn off the warnings and try again. Do you by chance have the "HTTPS-Only for Safari” extension installed also? That error message seems to say you do.

On a Mac, you can find this setting under the Security tab. Disable "Warn before connecting to a website over HTTP".

The latest version of Safari, v18.2 released in December, introduced this warning. It also introduced some features that will try HTTPS first and fallback to HTTP. From the release notes: Safari 18.2 Release Notes | Apple Developer Documentation

I only started seeing this today, but it might be due to the timing of when this update was (quietly) installed on my Mac.

I agree that this is a bug because this should be just a warning that lets you continue to the site and doesn't stop you from browsing. I've tried modifying other settings in Safari, but nothing else seems to let you through.

In the long run, it's best to ask the website owners to enable HTTPS and turn this warning back on, for our own security. This is the way....

I’m having this same issue and have tried everything I can think of to resolve it. My devices (an iPhone 7 Plus iOS 15.8.3 and an iPad 9 iOS 18.2) do not have the extension referenced in your reply. My settings are correct…I’m signed into both with the same Apple ID, both have iMessages enabled in iCloud. Text message forwarding is enabled. I can access my router’s settings on the iPhone but not the iPad. Following is what I’ve done to try and resolve it:

*Reset network settings on both devices.

*Turned both off, then back on.

*Used the iPhone to access my router’s settings and rebooted the router.

*A hard reset on both devices.

*Reset all settings on both devices.

*A text sent from my iPhone to the iPad did did show on the iPad.

*Erased the iPad and restored to from a backup.

*Had someone else send me a test text and it was received on the iPad.

*Toggled iMessage off, then back on on both.

Any ideas as to what the resolution is to this? Thanks in advance!

There are presently serious security issues (CVE-2024-55591) with Fortinet gear, with active exploits happening.

If that gear is not already patched to current, get there.

https://www.tenable.com/blog/cve-2024-55591-fortinet-authentication-bypass-zero-day-vulnerability-exploited-in-the-wild

If that Fortinet VPN client is possibly downgrading secure connections to insecure connections to scan traffic, that too can lead to connection issues.

Check with whomever is maintaining your Fortinet gear, or with Fortinet support, particularly if this HTTP/HTTPS error is arising only with that VPN active.

I’m familiar. This is the ZTNA client connecting to the Forticloud aka FortiSASE. From the message I get back in Safari, it’s because the Forticlient uses the browser during the SAML process and it’s using port 8020 to call back to the Forticloud Web Content Filtering and the “Not Secure Connection Warning” toggle in Safari is blocking it, not warning on it. Instead of a warning I get “Navigation failed because the request was for an HTTP URL with HTTPS-Only enabled”

If I turn the toggle to off, the connection works. I have a ticket open with Fortinet but it seems like a bug with the function of the toggle setting the browser to HTTPS-Only vs a warning. Idk

HalfordZooming wrote:

lkrupp wrote:

It means of course that the website you are trying to access is insecure and not protected in any way from malware, hacking, and remote intrusions. It’s likely very dangerous to try and load that URL.

No, that is not what it means at all. It means that your connection to that website is not encrypted. That is all. On a website that only serves static content that is not personally sensitive, this has no security implications at all, because such as site wouldn't be vulnerable to malware or hacking anyway. But obviously if you are sending password, credit card numbers, any personal data of any kind to the site, then you would want that data encrypted.

Conversely, a site having the most highly-verified SSL certificate ONLY assures you that your connection to it is encrypted. It does not tell you that they don't have an open telnet port giving all and sundry access to their inner mcgubbins.

Those two are two ways to reference the same general risks, with different phrasing used.

With or without TLS, the web server itself might be secure, or might not.

No TLS means any website logins or tokens can be compromised, yours, others’, and the website maintainers’.

No TLS that it’s easier to determine what you are accessing on the web server or web page, and that access alone can potentially be sensitive, or can become sensitive.

No TLS also means the connection to the website is open to shenanigans by those with intermediary access, and it can mean you’re not even accessing the intended website. Or worse, you are, but somebody else can be “helping”. That “helping” access has happening with Tor, and may still be happening in places — Windows executables being transferred by non-HTTPS / non-TLS Tor connections were being dynamically-infested with malware.

No TLS also means password managers can potentially be fooled, though most of those should hopefully not pre-populate forms on an insecure webpage.

The DV and EV stuff isn’t something that most folks even recognize, though the math vendors are still happy to sell their more expensive EV McGuffins. For most folks, locked and blocked are the usual extent.

As for the OP and their question, check whether that web server itself is sending the Strict Transport Security header. That’ll cause this, should the website also return a mixture of HTTPS and HTTP.

If it’s not the OP’s website, contact the website maintainers. Or contact Fortinet, if it’s Fortinet gear and running current firmware.

Fortinet gear has been problematic for a while, and mixed transport security headers wouldn’t surprise, given some of the other errors recently surfaced in that gear.

nassssy wrote:

I have this message when I want to download the contents of the board (jpg) from the interactive whiteboard at my school via QR code. The problem only affects Safari.

Contact the support organization for the whiteboard vendor.

nassssy wrote:

I work in several schools on different boards. The problem affects most of them. Before the system update there was no problem.

It would not surprise me to learn this bug is with the Apple, and the support organization for the app knows the details, or this might be a bug in the scholastic software itself exposed by the Apple update and that now needs a fix.

Or that Apple tightened the certificate requirements as has been happening, whether effecting the app use of certificates, or effecting the certificate vendor.

All are possible.

As are other potential causes.

All involve working with the provider of the app too, as they know their app best, and (being the support path) will have heard about any common issues involving their app.

This detail in particular implies it is the app centrally involved: “Navigation failed because the request was for an HTTP URL with HTTPS-Only enabled". The HSTS policy is usually a website or web service misconfigured, and the Safari update is now detecting a transport-related error that was previously undetected. The website or web service told Safari to use only HTTPS, and then the website didn’t. That’s a “pick one” error.

Or the website downgraded to HTTP, and the previous policy is still being cached.

(The transport policy details are the sort of flaw might have been used elsewhere as part of a security breach too, but we don’t know those details (yet?).)

Or, yeah, it’s an Apple Safari bug.

Again, contact the app vendor.

I'll write more precisely: I work in several schools, which means that the problem occurred in several different boards (exactly: 4 different manufacturers). The problem is on the side of apple developers.

I solved the problem on the iPhone. I had to disable the safari settings "warnings before unsecured connection".

And this is an apple error because a warning warning before an unsecured connection is not the same as blocking an unsecured connection.

See instructions above to disable the warning for "Not Secure Connection" on iOS/iPadOS and "connecting to a website over HTTP" for MacOS. This will then behave like it did before the December update. You'll be just as secure/insecure as you were before.

I would recommend that you don't give up on Safari. It's not a Safari bug, per se. It is Apple trying to help you be more secure, blocking what has always been insecure sites. They shouldn't have been so draconian and instead just displayed a warning.

The best solution in the long term is for the vendors to update their sites to be secure and use HTTPS, and then for you to re-enable the warning in Safari. That's where you can help yourself (and others in your organization) by notifying the vendors.

The error message seems to be in error. Irony. (I got the same error message; I do not have, to my knowledge, any extension named "HTTPS-Only for Safari" installed on my iPad.)

I getting this error while trying to use the Fortinet Forticlient for VPN. It was working prior to this.

I have this message when I want to download the contents of the board (jpg) from the interactive whiteboard at my school via QR code. The problem only affects Safari.