Resolving HSTS issues

Updated on Apr 30, 2018

The same functionality which provide the extra protection when you have HSTS enabled can be a hurdle when trying to access your website if you encounter an error in your browser such as:

Error code: SSL_ERROR_BAD_CERT_DOMAIN

You will not be able to skip it and continue to the website due to errors on HSTS websites being forced as unskippable. As mentioned in the published in 2012 RFC6797 Section 12.1:

Failing secure connection establishment on any warnings or errors (per Section 8.4 ("Errors in Secure Transport Establishment")) should be done with "no user recourse". This means that the user should not be presented with a dialog giving her the option to proceed. Rather, it should be treated similarly to a server error where there is nothing further the user can do with respect to interacting with the target web application, other than wait and retry. Essentially, "any warnings or errors" means anything that would cause the UA implementation to announce to the user that something is not entirely correct with the connection establishment. Not doing this, i.e., allowing user recourse such as "clicking through warning/error dialogs", is a recipe for a man-in-the-middle attack. If a web application issues an HSTS Policy, then it is implicitly opting into the "no user recourse" approach, whereby all certificate errors or warnings cause a connection termination, with no chance to "fool" users into making the wrong decision and compromising themselves.

As an example, you can try to skip this error from accessing the following website (https://subdomain.preloaded-hsts.badssl.com). Having said that, we will take a look at the most common issues regarding HSTS and how to resolve them.

Expired SSL

If you actually got the above-mentioned error message in your browser, the SSL certificate for your domain has expired and needs to be renewed.

  • In case you are using the Let's Encrypt service, renewal should be done automatically, unless there was editing in the DNS zone. For example, a Cloudflare configuration for that domain may be the cause for the Let's Encrypt certificate not to renew. This may require you to pause Cloudflare, purge the Cloudflare cache, issue the certificate and then reactivate Cloudflare. If you come across another issue related to the SSL certificate which you are unable to tackle yourself, you can always submit a ticket via your client area and our technical team will be right there to help you.
  • If you are using a GlobalSign certificate, you will have to renew the service via your client area.

Mixed Content

When a browser access a web page via HTTPS connection and detects insecure (HTTP) resources, it will either not load them resulting in a broken layout of completely fail to load anything depending on the exact resource which is served over HTTP. This can be fixed by migrating all HTTP content to HTTPS.

Mixed content can be categorized as Active or Passive:

  • Active mixed content which includes resources like JavaScript, CSS, fonts, etc. Browsers will not load any of these in such cases, due to the chance of them being compromised and used for malicious attacks.
  • Passive mixed content which includes resources like images, video/audio, pdf, etc. Most browsers can load this content for now, however with stricter policies regarding mixed content coming into play; we may see more red error pages regarding unsecured content which is promoting webmasters to fix such mixed content on their websites. This is due to the connection being only partially encrypted meaning that the unencrypted content is accessible to sniffers and susceptible to man-in-the-middle (MITM) attacks.

You can use plugins to help you with fixing your mixed content such as the SSL Insecure Content Fixer or Really Simple SSL (pro feature) in case you are running a WordPress based site.

Redirect Loops

Depending on your website configuration, you might experience a redirect loop when you have HSTS enabled. This usually happens but is not limited to having a redirect all traffic rule in your .htaccess file:

RewriteEngine on

RewriteCond %{HTTPS} off

RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]

This can also be done by a redirect plugin as those plugins will automatically add lines of code in your .htcaccess file. The same outcome can be detected, If you have enabled similar redirect in the virtual host file, in case you are managing your own server.

Also, please note that HSTS may act out of the ordinary in certain configurations making redirects before or after the one specified in the configuration file which could lead to extra redirects and slower load time for the end user. However, the diagnosis of this type of redirect errors cannot be generalized and has to be looked in a case-by-case fashion.

Cached Header after disabling HSTS

The HSTS header explicitly instructs browsers how long to wait before checking for the same via the max-age directive inside the header. If you have set that to 31536000 seconds as is the requirement for adding a domain to the preload list, this means that the browser will remember the settings for 1 year. We already provided a guide on how to remove this saved state from the browser local files in our How to disable HSTS tutorial.

On this page...

    High Security Hosting

    • Network Firewall
    • Web Application Firewall
    • Brute-force Protection
    • Exploits and Malware Protect
    • CageFS Security
    • ModSecurity Manager
    View More