Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Unset or Expire HSTS Policy on Apache Server

Tags:

apache

hsts

I set this line in a ssl vhost on my server. I am running Apache 2.x

Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"

This was a major mistake, because now I want to remove it and force users back to http pages sometimes. It was not enabled for very long, but I don't want to lose anyone. If I try to force users back to http pages right now they end up in a redirect loop.

How can I unset or expire HSTS using settings on the server so that when users do visit the site and hit the https version of the site the Strict-Transport-Security setting is removed from their browser and they are able to be redirected to http?

I already know I made a dumb mistake. I learned a lesson and just need to clean it up now.

like image 646
Brandon Bearden Avatar asked Feb 13 '14 22:02

Brandon Bearden

People also ask

What is Apache HSTS?

HTTP Strict Transport Security (HSTS) is a web security policy mechanism used for securing HTTPS websites against downgrade attacks. HSTS prevents your web browser from accessing the website over non-HTTPS connections. After installing SSL, some websites contain pages that serve requests over HTTP.

How do I turn off HTTP Strict Transport Security?

​​ Disable HSTS Select your website. Go to SSL/TLS > Edge Certificates. For HTTP Strict Transport Security (HSTS), click Enable HSTS. Set the Max Age Header to 0 (Disable).

How do I know if HSTS is enabled?

There are a couple easy ways to check if the HSTS is working on your WordPress site. You can launch Google Chrome Devtools, click into the “Network” tab and look at the headers tab. As you can see below on our Kinsta website the HSTS value: “strict-transport-security: max-age=31536000” is being applied.

1 Answers

Figured it out:

NOTE: A max-age value of zero (i.e., "max-age=0") signals the UA to cease regarding the host as a Known HSTS Host, including the includeSubDomains directive (if asserted for that HSTS Host). See also Section 8.1 ("Strict-Transport-Security Response Header Field Processing").

From the RFC 6797 document.

So, I will just set the following line and leave it for a few months before removing it.

Header always set Strict-Transport-Security "max-age=0; includeSubDomains"
like image 54
Brandon Bearden Avatar answered Oct 01 '22 13:10

Brandon Bearden
Sign in to Comment

Related questions

Proper .htpasswd usage
there is no phpmyadmin.conf in /etc/apache2/conf-available/phpmyadmin
ASP (Classic) on Linux Chilisoft Replacement
x-sendfile alternative for Apache to download huge files with resume-support
Apache behind corporate proxy
cordovaProject.projectConfig.getFileResources is not a function
How do I configure PHP + Apache on Amazon EC2?
Why are HTTP requests getting stuck on pending in Chrome?
Set volume using php exec and amixer
Can I make an Apache running on Windows case-sensitive?
git-http-backend
OpenCV imread hanging when called from a web request
org.apache.httpd: Already loaded [closed]
How to enable mod_dav_svn in the root directory of a named virtual host?
How to access directory's index.php without a trailing slash AND not get 301 redirect
What is the maximum number of cURL connections set by?
Variety of HTTPs errors while communicating to server from Android App
Invalid header signature; IOException with Apache POI on excel document
Rewrite rule generator? [closed]
Extremely worried about Magento performance

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!