Manage a website/accommodation HSTS

This guide explains how disable or set PSTS for a website.

Preamble

• When PSTS is activated for a website, the server tells the visitor of the site (if its web browser is compatible) to replace all unsecured links with secure links.
• Example: http://www.exemple.com/une/page/ is automatically replaced by https://www.exemple.com/une/page/.
• After having activated an SSL certificate on a website, the HSTS is configured as follows: max-age=16000000.

Disable HSTS...

... with a CMS (WordPress, Joomla, etc.)

Include in all pages generated by CMS the following line:

header( 'Strict-Transport-Security: max-age=0;' );

For WordPress, it is e.g. possible to add this directive to the file functions.php of your theme:

add_action( 'send_headers', 'add_header_xua' );
function add_header_xua() {
header( 'Strict-Transport-Security: max-age=0;' );
}

More details on WordPress

... with a PHP site

Include the following line in all php pages:

header( 'Strict-Transport-Security: max-age=0;' );

To do this without having to modify each php page of a site, it is possible to use the directive auto_prepend_file in the file .user.ini of the site concerned:

auto_prepend_file=/home/clients/xxxx/web/hsts_disable.php

... with the file hsts_disable.php the following:

header( 'Strict-Transport-Security: max-age=0;' );

... with a site with static content (no PHP)

Include this header in a file.htaccess:

# BEGIN DISABLE HSTS
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=0; includeSubDomains;"
</IfModule>
# END DISABLE HSTS

Customize the HSTS

header( 'Strict-Transport-Security: max-age=X; includeSubdomains; preload' );

includeSubDomains; is enabled by default and as its name indicates it will include subdomains in the "Strict Transport Security".

When the visitor goes to an unsecured subdomain, the browser will redirect to HTTPS automatically and cause a security error.

If this behavior is not desired, this header should be removed.

Clear the browser's HSTS cache

To this end:

1. In Chrome, typechromium://net-internals/#hsts
2. Enter the domain name in the text field of the "Delete domain security policies" section.
3. Click on the button Delete.
4. Enter the domain name in the text field of the "Query HSTS" section.
5. Click the Query button.
6. The answer must be "Not found" (not found).

1. With Safari, start by closing the browser.
2. Clear File~/Library/Cookies/HSTS.plist.
3. Open Safari.

1. With Firefox, close all tabs.
2. Open the Firefox menu and click History / Show History.
3. Look for the page from which you want to remove the HSTS preferences.
4. Right-click on one of the corresponding entries.
5. Choose Forget this site.