User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Steps to reproduce: Entered the url: "mywebsite.com" in the url bar Actual results: It auto prepends the protocol "http://" to the entered url to: "http://mywebbsite.com" Expected results: First check if "https://mywebbsite.com" exsists and have a valid cert, use this uri then. Otherwise use "http://mywebbsite.com". This to prevent MITM attack during an http -> https redirect. When redirecting from a webserver. With a "307 Temporary Redirect" or a "308 Permanent Redirect". This is prevented on subsequent loads if HSTS is used. But an attacker can drop that header on the first http->https redirect. Background information of this issue: We want to disable http (port 80) on our web application servers. But our users will have to type "https://" explicit in the url bar. And that will never happen. Is this possible to change this? Or is there to much breakage to change this behaviour?