1000 FAQs, 500 tutorials and explanatory videos. Here, there are only solutions!
Manage HSTS for a website/hosting
This guide explains how to disable or configure HSTS for a website.
Introduction
- When HSTS is enabled for a website, the server instructs the site visitor (if their web browser is compatible) to replace all non-secure links with secure links.
- Example:
http://www.exemple.com/une/page/is automatically replaced byhttps://www.exemple.com/une/page/. - After activating an SSL certificate on a website, HSTS is configured as follows:
max-age=16000000.
Disabling HSTS...
… with a CMS (WordPress, Joomla, etc.)
Include the following line in all pages generated by the CMS:
header( 'Strict-Transport-Security: max-age=0;' );For WordPress, it is possible, for example, to add this directive in the functions.php file of your theme:
add_action( 'send_headers', 'add_header_xua' );
function add_header_xua() {
header( 'Strict-Transport-Security: max-age=0;' );
}More details about WordPress
… with a PHP site
Include the following line in all php pages:
header( 'Strict-Transport-Security: max-age=0;' );To do this without having to modify each php page of a site, it is possible to use the directive auto_prepend_file in the .user.ini file of the site in question:
auto_prepend_file=/home/clients/xxxx/web/hsts_disable.php... with the following hsts_disable.php file:
header( 'Strict-Transport-Security: max-age=0;' );… with a static content (non-PHP) site
Include this header in a .htaccess file:
# BEGIN DISABLE HSTS
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=0; includeSubDomains;"
</IfModule>
# END DISABLE HSTSCustomize HSTS
The default value can be changed in your website's PHP files using the following directive:
header( 'Strict-Transport-Security: max-age=X; includeSubdomains; preload' );(X being the number of seconds desired).
Enable HSTS for all hosted subdomains
includeSubDomains; is enabled by default and, as its name indicates, it will include subdomains in the "Strict Transport Security".
When the visitor goes to an unsecured subdomain, the browser will automatically redirect to HTTPS and cause a security error.
If this behavior is not desired, you need to remove this header.
Clear the browser's HSTS cache…
… on Chrome
- In Chrome, type chrome://net-internals/#hsts
- Enter the domain name in the text field of the "Delete domain security policies" section.
- Click the Delete button.
- Enter the domain name in the text field of the "Query HSTS" section.
- Click on the Query button.
- The response should be "
Not found" (not found).
… on Safari
- With Safari, start by closing the browser.
- Delete the file
~/Library/Cookies/HSTS.plist. - Reopen Safari.
... on Firefox
- With Firefox, close all tabs.
- Open the Firefox menu and click on History / View History.
- Search for the page whose HSTS preferences you want to delete.
- Right-click on one of the corresponding entries.
- Choose Forget this site.