Configured bad-certificate targets
These URLs must be real top-level HTTPS destinations with invalid certificates. The app cannot manufacture TLS failures from client-side code.
Self-signed
Top-level navigation target that should trigger the browser's untrusted certificate flow.
https://self-signed.badssl.com/Wrong host
Target whose certificate does not match the requested hostname.
https://wrong.host.badssl.com/Expired
Target whose TLS certificate is expired or otherwise time-invalid.
https://expired.badssl.com/Custom target launcher
Useful when you want to paste a temporary production bad-cert host without rebuilding the app.
Manual checklist
- Verify the browser only surfaces its certificate UI for top-level navigations, not embedded subresources.
- Test an overridable cert error and a fatal/non-overridable case if your production setup supports both.
- Compare current-tab navigation versus opening the target in a new tab or new window.