How to Disable HSTS

Updated on Apr 30, 2018

If you encounter an issue with HSTS before you add it to the preload list and cannot access your website fully due to reasons like expired SSL certificate or mixed content, you can disable HSTS in order to load the website and find a resolution for your issue.

The actual disabling of the tag is easy and can be done by changing the max-age directive from 31536000 to 0 which will make it expire at the moment it activates. For more information on how to find and edit the .htaccess file and the header, please check our initial tutorial called How to Enable HSTS.

This only change the max-age is better than just removing the entire header from your .htaccess file since when the tag was first read and cached by the browser it, the max age was applied, and the browser was instructed to cache this header for that period. By changing the max-age to 0, you are re-instructing the browser to essentially neglect the entire header without further caching.

However, as browsers were updated with HSTS in mind, some of them will still have the header's instructions saved in them, which will require you to remove it manually.

Chrome

  • In order to access the local HSTS settings saved in Chrome you will have to copy this in your address bar: chrome://net-internals/#hsts
  • To confirm that the domain which you have disabled are saved in Chrome, type the domain in the Query Domain section (without http:// or https://) and click the Query button. If you get a "Found" result with data after it, then the domain was saved by Chrome.
  • Now type the same domain into the Delete domain section and click the button. Now your browser will no longer force the HTTPS connection to that website.

Your browser will no longer force an HTTPS connection to that site.

Firefox

  • Firefox makes things a bit easier as you won'\t have to access any specific option pages which are usually hidden as with Chrome.
  • You should start with closing all your tabs and using the full History Shortcut Ctrl + Shift + H. Then find the website which you want to remove from the HSTS browser list, right-click on it and select Forget About This Site.

Then restart Firefox to get the desired result.

Safari

  • Close Safari.
  • Delete the ~/Library/Cookies/HSTS.plist file.
  • Reopen Safari

Disabling HSTS is not recommended but may be required in some situations. However, you are now aware of how to do this procedure via the header and in 3 of the most used browsers.

On this page...

    High Security Hosting

    • Network Firewall
    • Web Application Firewall
    • Brute-force Protection
    • Exploits and Malware Protect
    • CageFS Security
    • ModSecurity Manager
    View More