This guide explains how to disable or configure HSTS for a website.

Preamble

• When HSTS is enabled for a website, the server tells the site visitor (if their web browser is compatible) to replace all non-secure links with secure links.
• Example: http://www.example.com/a/page/ is automatically replaced by https://www.example.com/a/page/.
• After activating an SSL certificate on a website, HSTS is configured as follows: max-age=16000000.

Disable HSTS…

… with a CMS (WordPress, Joomla, etc.)

Include the following line in all pages generated by the CMS:

header( 'Strict-Transport-Security: max-age=0;' );

For WordPress, for example, it is possible to add this directive in the functions.php file of your theme:

add_action( 'send_headers', 'add_header_xua' );
function add_header_xua() {
header( 'Strict-Transport-Security: max-age=0;' );
}

More details on WordPress

… with a PHP site

Include the following line in all php pages:

header( 'Strict-Transport-Security: max-age=0;' );

To do this without having to modify each php page of a site, it is possible to use the auto_prepend_file directive in the .user.ini file of the concerned site:

auto_prepend_file=/home/clients/xxxx/web/hsts_disable.php

... with the following hsts_disable.php file:

header( 'Strict-Transport-Security: max-age=0;' );

… with a static content site (non-PHP)

Include this header in a .htaccess file:

# BEGIN DISABLE HSTS
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=0; includeSubDomains;"
</IfModule>
# END DISABLE HSTS

Customize HSTS

header( 'Strict-Transport-Security: max-age=X; includeSubdomains; preload' );

includeSubDomains; is enabled by default and as its name indicates, it will include subdomains in the "Strict Transport Security".

When the visitor goes to an unsecured subdomain, the browser will automatically redirect to HTTPS and cause a security error.

If this behavior is not desired, this header must be removed.

Clear the browser HSTS cache…

… on Chrome

1. In Chrome, type chrome://net-internals/#hsts.
2. Enter the domain name in the text field of the "Delete domain security policies" section.
3. Click the Delete button.
4. Enter the domain name in the text field of the "Query HSTS" section.
5. Click the Query button.
6. The response must be "Not found".

… on Safari

1. With Safari, start by closing the browser.
2. Delete the file ~/Library/Cookies/HSTS.plist.
3. Reopen Safari.

… on Firefox

1. With Firefox, close all tabs.
2. Open the Firefox menu and click on History / View History.
3. Search for the page whose HSTS preferences you want to delete.
4. Right-click on one of the entries corresponding to it.
5. Choose Forget this site.