Menu
I have following setup:
The application https://app.domain.de is our production environment and is automatically forwarded to use HTTPS. All works fine here. On top, there are several development versions of the application for our QA-Team accessible via http://develop.app.domain.de (no HTTPS needed here).
The problem begins here: As soon as I visit https://app.domain.de Chrome (and I guess also other browsers) forward http://develop.app.domain.de (no HTTPS) also to https://develop.app.domain.de (HTTPS). I can of course disable HSTS and clear the cache for this domain and http://develop.app.domain.de will work, but only until I visit https://app.domain.de again.
I cannot enable HTTPS for our development environments as you need to have at least a Hobby Plan in Heroku to do so and that would therefore be a waste of money for all our development and test environments of the application. I would also like to keep the url schema.
So my questions is how can I disable this nasty forwarding (HSTS) permanently?
626
You can type thisisunsafe anywhere on the Google Chrome warning page and it will load it without warning. No joke.
142
On the main domain, you can remove the includesubdomains option of your HSTS header, so it will not redirect the sub domain.
However, this is not the most secure solution. To be effective, it's better to set HSTS+includesubdomains on all your domains and subdomains (or an attacker car fake the domain "http://secure.yourdomain.com" for example).
So the most secure solution is to use a self-signed certificate (or a real one) for your dev domains and import it before in your browsers.
29
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
