How to disable HTTP Strict Transport Security?

Question

I had a Rails application with config.force_ssl = true, but now I dont want SSL encryption, but my app is still redirecting to https. I read this is a HTTP Strict Transport Security problem on Apache. How can I disable it?

Answer 1

It's not a problem with Apache, but with the fact that Rails sends an HSTS header.

In Chrome, you can clear the HSTS state by going into about:net-internals, as described in ImperialViolet: HSTS UI in Chrome. You may also have to clear the cache, since config.force_ssl = true also uses a 301 (permanent) redirection.

In addition, according to this answer, you could also make your application send an STS header with max-age=0. In your controller:

response.headers["Strict-Transport-Security"] = 'max-age=0' 

Answer 2

Just wanted to point out @Bruno's answer and @JoeVanDyk's suggestions are true and can be applied beyond the context of Rails/Apache. I'm using PHP and Nginx. PHP has nothing to do with it in my case, but here's the steps with Nginx:

//sorry here's the nginx.conf part first, can't figure out how to mix multi-line  //code with an ordered list  server {    #...    #change:    # add_header  Strict-Transport-Security "max-age=315360000; includeSubdomains";         #to:    add_header  Strict-Transport-Security "max-age=0;";    #... } 

1. clear your "browser history". To clarify on @JoeVanDyk's suggestion , I think you need to clear "browsing history" because clearing the cache didn't work for me (tested on Chrome/Firefox, please add comments if you know more).

2. nginx.conf file (see code above)

3. restart server

   root@ip-xxx-xxx-xxx:~# /etc/init.d/nginx restart.

After this, you can revert the nginx add_header Strict.. command to what you previously had. Just make sure you repeat steps 1-3 again.