5

We are looking for a way to have Chrome bypass the HSTS requirements for our dev environment.

We are working on a project for https://foo.com.

Within our organizations internal dns we have DNS entries for foo.com.dev which points to our internal dev server which has historically allowed us to reach our dev server via https://foo.com.dev. Secure web requests to this site have always been met with a security warning that we have been able to bypass but in a recent build of Chrome it seems that the ability to bypass the warning has been removed. We can continue to use this method in IE but would like to be able to test Chrome as well.

Additionally, developers have been able to use there own machine names as suffixes. For example a https://foo.com.workstation10

Any suggestions would be very welcome because the prospect of reconfiguring our entire dev environment is not a pleasant one.

To be clear - access to these sites are entirely limited to internal users by both firewall setup and dns configuration.

Turk21
  • 89
  • 1
  • 9
  • 2
    Possible duplicate of [Chrome redirects .dev to https](https://stackoverflow.com/questions/47768289/chrome-redirects-dev-to-https) – Barry Pollard Apr 11 '18 at 17:49
  • Possible duplicate of [How to disable Chrome HSTS permanently for a subdomain](https://stackoverflow.com/questions/44650854/how-to-disable-chrome-hsts-permanently-for-a-subdomain) – Abdul Rauf Nov 02 '20 at 08:13

1 Answers1

3

You can try one of the following options:

  1. Send the Strict-Transport-Security header only for foo.com, and do not specify includeSubDomains.

  2. Make self-signed certificates for foo.com.dev on server and import in on your local device's chrome.

  3. If your target domain is restricted only for internal purpose, you can bypass it just typing badidea in the chrome window. Further details are available here

For more details about HSTS refer HSTS RFC

Community
  • 1
  • 1
patilnitin
  • 1,151
  • 10
  • 14
  • 3
    we were able to get your suggestion number 3 to work - except that the string to type has been updated to "thisisunsafe" - without quotes. It seems from the linked question (https://stackoverflow.com/questions/47768289/chrome-redirects-dev-to-https) this problem is a result of .dev becoming a real TLD owned by Google. We will consider changing our environment to use .test in the future. – Turk21 Apr 12 '18 at 17:23
  • 5
    New bypass keyword is `thisisunsafe`. Tested on v86.0.4240.111 (Official Build) (64-bit) Reference: https://stackoverflow.com/a/49130998/2073920 – Abdul Rauf Nov 02 '20 at 08:12