HSTS work-arounds

Updated on 26 Sep 2020

ssl
apache

If you’ve followed my last few tutorials you might be in for a bit of a shock when you attempt to navigate to a localhost site via http. This is because Chrome is somehow forcing you to https.

The reason for this is most likely HSTS (http strict transport security) - which basically means that if you’ve come to my site via https, then the next time you visit you’ll be forced onto https if you’re within a given timeframe. This is an extra security layer, but can cause issues if you’re trying to develop and test on a localhost.

Reset hsts on localhost

Type chrome://net-internals/#hsts into Chrome address bar, scroll to the bottom and add localhost to the Delete domain security policies section. Once that is done, you should be fine to resume navigation back to http on your localhost

Permanent solution

In my earlier tutorial on setting up SSL with Apache, I created and enabled a parameter configuration file, /etc/apache2/ssl-params.cnf.

SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder On
# Disable preloading HSTS for now.  A real pain if you want to revert back to http later during testing.
# because the HSTS will force you back to https within the max-age limit...
# Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
# Requires Apache >= 2.4
SSLCompression off
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
# Requires Apache >= 2.4.11
SSLSessionTickets Off

In this file I have commented out the following parameter

# Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"

This is a HSTS (http strict transport security) parameter, and will force the user back onto https if they were on https last time they visited (within the max-age time limit - set in seconds). So you can comment out this line or set the max-age to a lower value if you don’t want to be forced back to https each time you visit.