Reset HTTP Strict Transport Security Browser Settings

6th Jul 2018 technology english

If you are having issues using websites with the restrictive HSTS (HTTP Strict Transport Security) settings, for whatever reason this browser specific methods may help.

.htaccess

Setting the expiration time on the HSTS header to zero should immediatly make it expire.

<IfModule mod_headers.c>
   Header set Strict-Transport-Security "max-age=0; includeSubDomains;" env=HTTPS
</IfModule>

Chrome

In the address bar, type chrome://net-internals/#hsts
Type the domain name in the text field below “Delete domain”.
Click the “Delete” button.
Type the domain name in the text field below “Query domain”.
Click the “Query” button.
Your response should be “Not found”.
Quit Chrome then relaunch and test.

Firefox

First, you need to close all open windows
Goto Browser Settings --> History. Select "Show All/Complete History" or Ctrl + Shift + H (Cmd + Shift + H on Mac)
Go to the site for which you want to clear HSTS settings
Now right-click on that site and then click on Forget About This Site.
- Keep in mind that this will clear all data of the site present in Firefox.

Advanced Method

Find file SiteSecurityServiceState.txt typically located in C:\Users\username\AppData\Roaming\Mozilla\Firefox\Profiles\
Edit the file and delete the line that starts with "yourdomain.com".

Safari

Quit Safari.
Delete the file ~/Library/Cookies/HSTS.plist.
Reopen Safari.

Internet Explorer / Edge

The only supported method of removing site specific HSTS settings is to revisit the site and load the new HSTS directives.

Microsoft uses preload lists for HSTS which results in the known behavior

Site developers can use HSTS policies to secure connections by opting in to an HSTS preload list, which registers websites to be hardcoded by Microsoft Edge, Internet Explorer, and other browsers to redirect HTTP traffic to HTTPS. Communications with these websites from the initial connection are automatically upgraded to be secure. Like other browsers which have implemented this feature, Microsoft Edge and Internet Explorer 11 base their preload list on the Chromium HSTS preload list.

While disabling HSTS altogether is NOT recommended, doing so temporarily may be helpful for testing: Internet Explorer 11 adds support for HTTP Strict Transport Security standard

For x64-based systems

Click Start, click Run, type regedit, and then click OK.
Locate the following registry subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\
On the Edit menu, point to New, and then click Key.
Type FEATURE_DISABLE_HSTS, and then press Enter.
Click FEATURE_DISABLE_HSTS
On the Edit menu, point to New, and then click DWORD value.
Type iexplore.exe.
On the Edit menu, click Modify
In the Value data box, type 1, and then click OK.
- Note The valid values for the iexplore.exe subkey are 0 and 1. A value of 1 disables the feature, and 0 enables the feature.
Locate the following registry subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\
On the Edit menu, point to New, and then click Key.
Type FEATURE_DISABLE_HSTS, and then press Enter.
Click FEATURE_DISABLE_HSTS
On the Edit menu, point to New, and then click DWORD value.
Type iexplore.exe.
On the Edit menu, click Modify.
In the Value data box, type 1, and then click OK.
- Note The valid values for the iexplore.exe subkey are 0 and 1. A value of 1 disables the feature, and 0 enables the feature.
Exit Registry Editor.

General HSTS Information

Wil Genovese informed me about this

This does not work - Apple auto-magically puts the HSTS.plist back right after you delete it.

Yes, I figured out a solution. Make sure you are ready to reboot your Mac.

Quit Safari

Delete the file ~/Library/Cookies/HSTS.plist

and before the file can be restored, REBOOT!

Reopen Safari

Total PITA, but it worked.

Previous Post Next Post