15

I set this line in a ssl vhost on my server. I am running Apache 2.x

Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"

This was a major mistake, because now I want to remove it and force users back to http pages sometimes. It was not enabled for very long, but I don't want to lose anyone. If I try to force users back to http pages right now they end up in a redirect loop.

How can I unset or expire HSTS using settings on the server so that when users do visit the site and hit the https version of the site the Strict-Transport-Security setting is removed from their browser and they are able to be redirected to http?

I already know I made a dumb mistake. I learned a lesson and just need to clean it up now.

Buttle Butkus
  • 9,206
  • 13
  • 79
  • 120
Brandon Bearden
  • 820
  • 11
  • 29
  • Can you help me understand this? Reason I'm asking is the opposite problem. My old site is still HTTP, but links from google, Facebook, etc, often force visitors to HTTPS. Sadly, once that link is followed, is seems there is no way to force the browser back to HTTP for my site, causing all kinds of havoc. So, I the tech support at the hosting company suggested the opposite: Header always unset Strict-Transport-Security ". I may add the max age and include subdomains if it helps, but I'm kind of out of my league understanding why these endless redirect loops happen, I've already seen it.!! – Randy Nov 02 '20 at 07:08
  • @Randy This config option does not help your situation. The only production solution I would implement, personally, would be to setup your old site with HTTPS and redirect your http traffic to https. That is better for everyone and will cause you less headaches in the long run. – Brandon Bearden Nov 03 '20 at 17:59
  • 1
    A day later, that line with "unset" instead of set, and without the max-age specifiers, along with an additional redirect in the htaccess file to re-write all https requests to http did fix everything. for now. (that plus flushing my browser history, which had already flagged my URL as 'too many re-directs").. Not saying I won't eventually switch over to a secure site. Just, that it is extremely bothersome when something that worked for literal decades suddenly doesn't. We all prefer to upgrade on our own time, not when forced, right? But anyway, learned a bit about HSTS now :-) – Randy Nov 04 '20 at 01:10
  • @Randy - Interesting find. Thank you for updating and sharing. – Brandon Bearden Nov 04 '20 at 15:24

1 Answers1

17

Figured it out:

NOTE: A max-age value of zero (i.e., "max-age=0") signals the UA to cease regarding the host as a Known HSTS Host, including the includeSubDomains directive (if asserted for that HSTS Host). See also Section 8.1 ("Strict-Transport-Security Response Header Field Processing").

From the RFC 6797 document.

So, I will just set the following line and leave it for a few months before removing it.

Header always set Strict-Transport-Security "max-age=0; includeSubDomains"
Brandon Bearden
  • 820
  • 11
  • 29