Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to disable HTTP Strict Transport Security?

I had a Rails application with config.force_ssl = true, but now I dont want SSL encryption, but my app is still redirecting to https. I read this is a HTTP Strict Transport Security problem on Apache. How can I disable it?

like image 218
Phifo Avatar asked May 17 '12 03:05

Phifo


People also ask

How do I turn off HTTP Strict Transport Security Internet Explorer?

Type iexplore.exe. On the Edit menu, click Modify In the Value data box, type 1, and then click OK. Note The valid values for the iexplore.exe subkey are 0 and 1. A value of 1 disables the feature, and 0 enables the feature.

How do I disable HTTP Strict Transport Security in Firefox?

Search for “hsts” using the search bar in the top-right corner of the screen. Double-click on security. mixed_content. use_hstsc to toggle the setting in order to Disable HSTS on Firefox.


2 Answers

It's not a problem with Apache, but with the fact that Rails sends an HSTS header.

In Chrome, you can clear the HSTS state by going into about:net-internals, as described in ImperialViolet: HSTS UI in Chrome. You may also have to clear the cache, since config.force_ssl = true also uses a 301 (permanent) redirection.

In addition, according to this answer, you could also make your application send an STS header with max-age=0. In your controller:

response.headers["Strict-Transport-Security"] = 'max-age=0' 
like image 179
Bruno Avatar answered Sep 27 '22 23:09

Bruno


Just wanted to point out @Bruno's answer and @JoeVanDyk's suggestions are true and can be applied beyond the context of Rails/Apache. I'm using PHP and Nginx. PHP has nothing to do with it in my case, but here's the steps with Nginx:

//sorry here's the nginx.conf part first, can't figure out how to mix multi-line  //code with an ordered list  server {    #...    #change:    # add_header  Strict-Transport-Security "max-age=315360000; includeSubdomains";         #to:    add_header  Strict-Transport-Security "max-age=0;";    #... } 
  1. clear your "browser history". To clarify on @JoeVanDyk's suggestion , I think you need to clear "browsing history" because clearing the cache didn't work for me (tested on Chrome/Firefox, please add comments if you know more).

  2. nginx.conf file (see code above)

  3. restart server

    root@ip-xxx-xxx-xxx:~# /etc/init.d/nginx restart.

After this, you can revert the nginx add_header Strict.. command to what you previously had. Just make sure you repeat steps 1-3 again.

like image 37
tim peterson Avatar answered Sep 27 '22 21:09

tim peterson