We had a website working with a Godaddy SSL certificate for couple of years, few days ago we decided to use this certificate for another domain and keep the current website work just with HTTP.
We also moved the website to Azure and made sure there are no URL rewrites which redirect HTTP to HTTPs.
But since we did this move, on all browsers the website automatically redirect to HTTPs when the user open it with HTTP like http://www.example.com, it automatically go to https://www.example.com. And for sure this show the annoying message that the website is not secure.
How to stop this behaviour for all users without asking them to change their browsers security settings?
Not sure if these help:
- The website is a very old website written with classic asp
- The SSL Certificate was from Godaddy
- The domain name of this website is on UK2
- The website is now hosted on Azure app services.
This behavior sounds a lot like an HSTS (https://en.m.wikipedia.org/wiki/HTTP_Strict_Transport_Security) header was set for the domain. The good news is that you can simply stop applying it and the effects will eventually go away. The bad news is that it’s usually set to at least six months, and the only way to stop it earlier is to have all clients clear their cache so they forget that setting for this specific domain: The point of HSTS is to prevent a high-jacker from maliciously turning off TLS security for web sites.
Enable HTTPS. Either on the same web server running the app (pretty sure Azure can do this), or a separate reverse proxy, either would be fine. Issue a new certificate if necessary, x509 certs are cheap or free.
HSTS and HTTP insecure warnings are the browsers trying very hard for HTTPS everywhere.
Absent any explanation of why you can't do HTTPS, it will be easier to implement it. Easier than explaining to users the technical and almost sketchy task of clearing their security settings.
In case you are not currently forcing or even redirecting for https it is the most probably case of cache on the client side.
The redirection could be done by HTST (HTTP_Strict_Transport_Security) header, simple 301 HTTP code (Permanent redirect), 302 HTTP code (Found), HTML header or script located on the loaded page. The first two mentioned options are cached on client side so in case client request the address it is redirected even without "initial" request to the server...
As this would require clear cache for the page on ALL client sides I would rather think about getting even free (e.g Let's encrypt) certificate to keep the page running on HTTPS... I think it would be much less work than supporting all the clients who has visited your page recently.