Having trouble disabling HTTP strict transport security?

published Feb 15, 2022

The problem may be in your browser. Here's the fix.

Having trouble disabling HTTP strict transport security?

You're doing local development with some self-signed certificates, and your site won't load.  The browser tells you that the site has HTTP transport security enabled, and therefore you can't add a certificate exception.

You've tried everything — disabling your local Web server's HSTS headers, deleting all site data, forgetting all site settings, restarting the browser, even perhaps deleting the profile.  And yet, the browser stubbornly refuses to acknowledge that your local development site doesn't have HSTS enabled anymore.

It may be the browser's HSTS preloading list!

Most browser manufacturers ship a list of HSTS-enabled sites, usually sourced from Google.  If you are developing with a local copy of a site that is already exposed on the Web, and that public site sends HSTS headers to clients, you are very likely to encounter that your site has already been added to the browser's HSTS preloading list.  That means it doesn't matter what your Web server sends locally to your browser — the browser will still insist your site is HSTS-protected.  Thus, locally-generated self-signed certificates won't work.

Here's how to disable the preloading list for Firefox:

  1. Go to your browser's about:config view, and click through the warning it displays.
  2. Search for network.stricttransportsecurity.preloadlist.
  3. Switch that setting to false.
  4. Delete all history entries for the site in question:
    1. Open the history sidebar.
    2. Right-click on the most recent entry of the site.
    3. Click Forget about this site.
  5. Restart your browser.

Presto, HSTS is no more!

Other browsers have similar settings mechanisms where you can find the setting in question.