Stack Overflow
Stack Overflow

Questions tagged [hsts]

HTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents are to interact with it using only secure HTTPS connections.

HSTS is based on research done by Adam Barth and Colin Jackson on the ForceHTTPS protocol starting in 2008, which evolved into the ForceTLS protocol and finally the HSTS protocol.

References

326 questions
68
votes
8 answers

Google Chrome localhost | NET::ERR_CERT_AUTHORITY_INVALID

All of a sudden I seem to have an issue with Google Chrome using localhost. I'm trying to access any of my development sites (using Ampps) and I get the following error:- Your connection is not private Attackers might be trying to steal your …
nsilva
  • 5,184
  • 16
  • 66
  • 108
53
votes
3 answers

Non-Authoritative-Reason header field [HTTP]

I'm having difficulty finding out what it means when I have the response header Non-Authoritative-Reason : HSTS I have searched a lot but just came up with some explanations about HSTS (redirection from HTTP to HTTPS). Can anyone help me with that?…
jamal
  • 543
  • 1
  • 4
  • 5
50
votes
7 answers

Safari keeps forcing HTTPS on localhost

When I load http://localhost:3000 in Safari, Safari automatically redirects to https://localhost:3000. How can I disable this functionality? I went into ~/Library/Cookies/HSTS.plist and removed the localhost entry, then restarted Safari but it just…
Charlie Fish
  • 18,491
  • 19
  • 86
  • 179
50
votes
6 answers

How to permanently exclude localhost from HSTS list in Google Chrome

This is a followup question to Google Chrome redirecting localhost to https. Does anyone know, how to permanently exclude localhost from HSTS list in Google Chrome? Or, any other elegant solution that wouldn't require developer to visit…
Bugs Bunny
  • 2,496
  • 1
  • 26
  • 32
48
votes
3 answers

How to disable Chrome HSTS permanently for a subdomain

I have following setup: The application https://app.domain.de is our production environment and is automatically forwarded to use HTTPS. All works fine here. On top, there are several development versions of the application for our QA-Team…
chillyistkult
  • 959
  • 2
  • 11
  • 22
44
votes
5 answers

How to disable HTTP Strict Transport Security?

I had a Rails application with config.force_ssl = true, but now I dont want SSL encryption, but my app is still redirecting to https. I read this is a HTTP Strict Transport Security problem on Apache. How can I disable it?
Phifo
  • 428
  • 1
  • 4
  • 8
38
votes
1 answer

Shall I use the Content-Security-Policy HTTP header for a backend API?

We're implementing HSTS on our backend API and I stumbled upon the Content Security Policy (CSP) header. This header tells the browser where from resources such as images, video, stylesheet, scripts and so on can be downloaded. Since a backend API…
Jim Aho
  • 9,932
  • 15
  • 56
  • 87
25
votes
2 answers

Enabling HSTS in AWS ELB application load balacer

We like to enable HSTS to our IIS deployed web application. We have SSL terminating ELB Application load balancer. We have enabled the URL rewrite module in IIS and configured the x-Forward-Proto tag to decide and enable HSTS header in the response.…
Prasanna B R
  • 489
  • 2
  • 6
  • 12
18
votes
4 answers

Cookies are not accessible within JavaScript (and the dev tools) but sent along with XHR request (no httponly used)

I'm using both a front-end and a back-end application on a different domain with a session-based authorization. I have setup a working CORS configuration, which works as expected on localhost (e.g. from port :9000 to port :8080). As soon as I deploy…
ssc-hrep3
  • 15,024
  • 7
  • 48
  • 87
16
votes
4 answers

How to implement HTTP Strict Transport Security (HSTS) on AWS Elastic Load Balancer?

I would like to implement HSTS to my application. I have an ELB terminating SSL and forwarding the traffic to my application, which is an apache server used as reverse proxy. I know that in order to implement HSTS, I would need to add the header…
Pedreiro
  • 1,641
  • 2
  • 18
  • 28
15
votes
1 answer

Unset or Expire HSTS Policy on Apache Server

I set this line in a ssl vhost on my server. I am running Apache 2.x Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains" This was a major mistake, because now I want to remove it and force users back to http pages…
Brandon Bearden
  • 820
  • 11
  • 29
13
votes
1 answer

Microsoft Edge forcing HTTPS and refusing a self-signed certificate

Doing dev work on several sites on my local (Windows 10) PC when out of the blue this morning one site refuses to load in Microsoft Edge (Version 89.0.774.45 (Official build) (64-bit)). Other local sites are working fine. I removed the redirect to…
Steve
  • 2,776
  • 3
  • 25
  • 44
12
votes
0 answers

How to add a header to an IIS URL Rewrite redirect action?

I'm trying to get a site ready for HSTS preload and one of the requirements is that the root domain also support HSTS. I'm serving pages at "www." so I need to redirect from the root domain to the "www." subdomain. Since this is a static site hosted…
daveaglick
  • 3,600
  • 31
  • 45
12
votes
7 answers

Add HSTS feature to Tomcat

Trust you all well. My web application run on tomcat 6.0.43 and do not use apache or nginx at front. I'm already enforce my web from http redirect to https using: URL Redirect at ../webapps/ROOT/index.jsp <%…
epiziv
  • 153
  • 1
  • 2
  • 8
11
votes
2 answers

Which HSTS preload list is used by which browser?

I've been reading various informations about Google and Firefox using an HSTS preload list. it seems that there is a generic list here : https://hstspreload.org/ and that Chrome uses the one from Chromium here : https://www.chromium.org/hsts/ and…
Elvex
  • 656
  • 5
  • 22
1
2 3
21 22