How to disable HTTP Strict Transport Security?

Question

I had a Rails application with config.force_ssl = true, but now I dont want SSL encryption, but my app is still redirecting to https. I read this is a HTTP Strict Transport Security problem on Apache. How can I disable it?

Answer 1

It's not a problem with Apache, but with the fact that Rails sends an HSTS header.

In Chrome, you can clear the HSTS state by going into about:net-internals, as described in ImperialViolet: HSTS UI in Chrome. You may also have to clear the cache, since config.force_ssl = true also uses a 301 (permanent) redirection.

In addition, according to this answer, you could also make your application send an STS header with max-age=0. In your controller:

response.headers["Strict-Transport-Security"] = 'max-age=0'

Answer 2

Just wanted to point out @Bruno's answer and @JoeVanDyk's suggestions are true and can be applied beyond the context of Rails/Apache. I'm using PHP and Nginx. PHP has nothing to do with it in my case, but here's the steps with Nginx:

//sorry here's the nginx.conf part first, can't figure out how to mix multi-line 
//code with an ordered list

server {
   #...
   #change:
   # add_header  Strict-Transport-Security "max-age=315360000; includeSubdomains";     
   #to:
   add_header  Strict-Transport-Security "max-age=0;";
   #...
}

1. clear your "browser history". To clarify on @JoeVanDyk's suggestion , I think you need to clear "browsing history" because clearing the cache didn't work for me (tested on Chrome/Firefox, please add comments if you know more).

2. nginx.conf file (see code above)

3. restart server

   root@ip-xxx-xxx-xxx:~# /etc/init.d/nginx restart.

After this, you can revert the nginx add_header Strict.. command to what you previously had. Just make sure you repeat steps 1-3 again.

Answer 3

I found I couldn't delete an HSTS entry in Chrome as I was using an IP address for development. I couldn't seem to get chrome://net-internals/#hsts to delete the entry. I found that Chrome stores the entries in ../AppData/local/Google/Chrome/User Data/Default/TransportSecurity so I just deleted the file. It of course removes all HSTS requests, but I suspect they will be rebuilt over time.

Answer 4

Figured id offer a bit of thought on this. Setting cache time to 0 is a best bet and if you turn it off you need to leave it at 0 for weeks to clear out clients browsers. If you just need to clear HSTS in chrome (for your own browser) you can use chrome://net-internals/#hsts in the address bar to clear the cache for your site at your specific browser. Combined with the below "doorway" it becomes useful.

You can set temporary HSTS modes by setting/spoofing a custom header => key. Basically if a special request header exists, and it matches a key, set HSTS with a cache time of whatever you need. This would allow you to turn on or shut off HSTS for all traffic but you. Useful for trying HSTS out before you globally enable (to make sure all assets are loading). Also useful if you wanna temporarily clear out client cache while something is repaired (leaving you room for test).

Answer 5

If you are developing an application/site and for any reason you choose to use the domain .dev or .app for it and if you are using Chrome, Edge (Chromium based) as your browser you won't be able to get rid of this error because Google bought TLD .dev and .app and force the use of HTTPS for those domain.

The "so called" workaround here is that you should change .dev or .app for something else, let say .local.

Hope this helps, somehow.