1000 FAQs, 500 tutorials and explanatory videos. Here, there are only solutions!
Configuring or customizing the HSTS of a website/hosting
This guide explains how to disable or set HSTS for a website. When HSTS is enabled for a website, the server tells site visitors (if their web browser is compatible) to replace all non-secure links with secure links. For example, http://www.example.com/a/page/ is automatically replaced by https://www.example.com/a/page/
After a SSL certificate has been enabled on a website, HSTS is configured as follows:
max-age=16000000
Disabling HSTS
1. with a CMS (WordPress, Joomla, etc.)
The following line must be included in all the pages generated by the CMS:
header( 'Strict-Transport-Security: max-age=0;' );
For WordPress, this command can, for example, be added in the functions.php file of your theme:
add_action ('send_headers', 'add_header_xua' );
function add_header_xua() {
header( 'Strict-Transport-Security: max-age=0;' );
}
For more details on WordPress: https://codex.wordpress.org/Plugin_API/Action_Reference/send_headers
2. with a PHP site
The following line must be included on all php pages:
header( 'Strict-Transport-Security: max-age=0;' );
To do this without having to change every php page on a site, the command auto_prepend_file can be used in the .user.ini file of the site concerned:
auto_prepend_file=/home/clients/xxxx/web/hsts_disable.php
... with the following hsts_disable.php file:
header( 'Strict-Transport-Security: max-age=0;' );
3. with a site with static content (non PHP)
It is necessary to include this header in the .htaccess file:
# BEGIN DISABLE HSTS
Header always set Strict-Transport-Security "max-age=0; includeSubDomains;"
# END DISABLE HSTS
Customizing the HSTS
The default value can be modified in the php files of your website using the following command:
header( 'Strict-Transport-Security: max-age=X; includeSubdomains; preload' );
(X being the number of seconds required)
Enabling HSTS for all the sub-domains hosted
includeSubDomains; is enabled by default and, as its name suggests, will include the subdomains in the "Strict Transport Security".
When visitors go to a non-secure subdomain, the browser will automatically redirect to the HTTPS and trigger a security error.
If this behaviour is not wanted, this header must be removed.
Deleting the HSTS cache from your browser
- In Chrome, type chrome://net-internals/#hsts
- Enter the domain name in the text field in the "Delete domain security policies" section
- Click on Delete
- Enter the domain name in the text field for the "Query HSTS" section
- Click on Query
- The response must be "Not found"
- With Safari, start by closing the browser
- Delete the ~/Library/Cookies/HSTS.plist file
- Reopen Safari
- With Firefox, close all tabs
- Open the Firefox menu and click on History / Show history.
- Look for the page for which you want to delete the HSTS options
- Right-click on one of the corresponding entries
- Choose Forget this site