A guide about how to clear or disable HSTS setting on Chrome, Firefox, Safari, and IE Browsers
Web developers, website owners, site visitors, and customers all love one common thing, i.e., a secure site, and that’s why HSTS received a warm welcome.
HSTS has the potential to strengthen the digital web by providing an extra security layer. This extra security shields the web infrastructure of business owners against hackers and other cyber-attacks and secures the data from being compromised.
But HSTS comes with one major disadvantage. Its implementation gives rise to browser errors on an occasional basis. But don’t worry; the resolution process to fix this error on various browsers is not as complex as you think.
This article will discuss how to disable/clear HSTS settings on popular browsers like Chrome, Firefox, Explorer, etc. But before moving to the fixations, let me brief you about what is HSTS, its importance in today’s digital world, causes of HSTS errors, and considerations to be taken before implementing this security solution.
So, let’s get rolling.
What is HSTS?
HSTS is the acronym of HTTP Strict Transport Security. This web security policy compels the web browsers to connect with secured connections like HTTPS (hyper-text transfer protocol secure) and disregard all unsecured connections like HTTP (hyper-text transfer protocol).
Its main advantages are that it prevents attacks like cookies hijacking, eavesdropping, MIM (man-in-middle) attacks, and HTTP downgrade interference attacks.
A rise in SSL Stripping Attacks (HTTP downgrade attacks) needed someone to control the same, which led to the origin of HSTS. These cyber-attacks were intended to downgrade a web connection from a secured one to an unsecured one, i.e., from HTTPS to HTTP. These attacks automatically unencrypted communications, thus raising the chances of successful MIM (man-in-middle) attacks without user knowledge.
HSTS is a security solution that communicates a policy to the web page header, pressurizing the browser to create HTTPS connections during user visits.
But implementation of HSTS can create disruptions at times, and hence browsers tend to show HSTS errors.
Example: An error in Chrome stating “Your Connection is Not Private”
When the website is opened on another browser, the error may not exist, and this is proof that your HSTS settings are creating a problem.
What Causes HSTS Error in Popular Browsers?
Some errors can be ignored, whereas some can’t. The same statement is true for HSTS errors. Browsers keep track of websites having HSTS headers, and a few common causes for browsers to display these errors are:
- The browser stores HSTS settings for specific domains. Suppose you try to connect that specific domain over an unsecured broken connection, like expiry of an SSL certificate or SSL certificate name mismatch, etc. In that case, the above warning message may be displayed.
- Trial of an HSTS configuration by a web developer may trigger this error.
- HSTS deployment may be the reason why a website visitor may face this error. The only solution is to remove the HSTS settings of the website visited or wait for their expiry date (age limit is defined).
Though HSTS errors are devoid of uniqueness as far as browsers are concerned, their errors warnings include all HSTS information.
Why should your Company Implement HSTS?
The value of data in a website is as good as an item in a physical store, and hence it requires the same security locks as a physical item.
Though you lock your website with security solutions like anti-virus software and firewalls, smart hackers may still find some loopholes for penetrating networks and accessing data.
Your website needs HSTS. Period.
Not only will they act as an additional shield against hackers, but they will also ensure data privacy. Since nothing is secure, not even an SSL (Secure Socket Layers) certificate, implementing HSTS settings on your website is a boon in disguise. Its existence compels browsers and other connections to use HTTPS irrespective of a user who has typed HTTP://.
Another tip I would love to share is that if your site has sub-domains, add the same in the header by stating “include subdomains” and “preload.”
This will provide robust security to your site.
What to Consider before Implementing HSTS?
Before implementing any securities, it’s essential to know about their technical configurations or other factors that contribute to a successful implementation. So, before implementing HSTS settings on your website, check out the specific factors which can be included in the header.
Let’s have a look.
- Proper configuration and installation of an SSL certificate are a must. You can verify the same with SSL Certificate Checker.
- When multiple first-level sub-domains are involved, installing a Wildcard SSL certificate is a must.
- Use 301 redirects that remove irrelevant and non-useful pages and redirect all the non-secure (HTTP) links to secured (HTTPS) ones.
- Issue an HSTS header on the root domain for HTTPS requests.
- Set the maximum age limit of this security to 2 years.
- Lastly, add both the sub-domains and preload headers.
Note: ClickSSL is a cheap SSL certificate provider offering all global brands of SSL products and services. Unbeatable rates and appreciative customer services are its added benefits.
How Can I Implement HSTS on my Website?
If your site comprises sub-domains, installation of a Wildcard certificate is essential to secure them. But if only the root domain needs security, you can utilize any of the SSL validations (Domain Validation, Organisation Validation, or Extended Validation) for securing the same.
Ensure its proper configuration and installation. Test your web applications for a week by minimizing HSTS age to 5minutes. Expiry after a few minutes will help fix deployment issues.
Once the issues are fixed, modify HSTS age as desired (the maximum limit is 2 years).
But, if issues exist, there may be an issue with the configuration of browser HSTS settings. You need to clear or disable HSTS settings to fix the error.
I have penned down tips on how to disable HSTS settings in various popular browsers.
How to Clear or Disable HSTS in Different Browsers?
#1. Clearing HSTS in Chrome:
Chrome HSTS error display: “Your connection is not private.”
Click on the Advanced menu of this error, where HSTS settings are displayed. Go further down and clear the HSTS cache from the Chrome browser.
#1. Open Chrome
#2. Search for “chrome://net-internals/#hsts” in the address bar
#3. Search “Query HSTS/PKP domain” and write the site’s domain name for whom the HSTS settings are to be deleted.
#4. Lastly, enter the domain name in this Delete domain security policy and press the Delete button.
#5. HSTS settings are cleared in Chrome.
#2. Clearing HSTS in Mozilla Firefox:
There are multiple methods for clearing these settings in Firefox.
Forgetting the Website:
#1. Close all the open windows
#2. Click Ctrl + Shift + H and open your browser history
#3. Select the site for whom the HSTS settings need to be cleared
#4. Right-click on the site and click the “Forget about this site” option. This will erase site data in the Firefox browser.
#5. Restarting the browser may fix the error.
Clear Site Preferences:
#1. Open Firefox > go to Library option > Click History > Clear Recent History
#2. In the “Clear All History” field, select Everything in the drop-down menu of “Time range to clear the field,” as shown in the above image.
#3. Uncheck all the options under History and just tick “Site Preferences” and later click “Clear Now.”
#4. Restart Firefox
Edit the User Profile:
#1. Close entire Firefox with its tray icons and pop-ups
#2. Go to Firefox user profile.
#3. In the address bar of the browser, type: about: support at the top and click Enter
#4. The Application Basics page will be displayed. Go to the Profile folder section > Click Open Folder.
#5. In the Profile folder, open SeiteSecurityServiceState.txt in Notepad.
#6. This file comprises HSTS settings for all visited domains.
#7. Delete this HSTS data of the desired website, and restart your browser.
- Be cautious while deleting the HSTS information.
- Changing the file format from .txt to .bak will be beneficial. First, it will create a backup of an existing file, and secondly, it will clear all previously-stored HSTS settings to fix the error.
Clear Settings from Browser:
#1. Open the browser and type: about: config in the address bar. Click the button: “Accept the Risk and Continue.”
#2. Go to the Advanced Settings menu
#3. Search for HSTS from the search bar
#4. Select security.mixed_content.use_hstsc and double-click the same to toggle the settings and disable it
#3. Clearing HSTS in Safari:
#1. Close Safari browser
#2. Go to Library > Cookies > HSTS.plist file.
#3. Restart the Browser
#4. Clearing HSTS in Internet Explorer:
#1. Go to the Run box on your PC and type “Regedit.”
#2. This will open the Registry Editor.
#3. Browse the below-mentioned Registry subkey.
#4. In the Edit menu of the Registry Editor, go to New > Key.
#5. Type FEATURE_DISABLE_HSTS, and click Enter.
#6. In the Edit menu, again go to New > DWORD (32-bit) value, later type ieexplore.exe.
#7. In the Edit menu, click “Modify.”
#8. “Type 1” in the Value Data Box and click Ok. All the changes will be saved.
#9. In the end, close the Registry Editor.
#10. Browse to the following registry subkey:
#11. Again, from the Edit menu, select New > Key.
#12. Now, type FEATURE_DISABLE_HSTS and hit Enter.
#13. Click FEATURE_DISABLE_HSTS
#14. In the Edit menu, go to New > DWORD value and type iexplorer.exe.
#15. Now, from the menu Edit, click Modify.
#16. Now, type 1 in the Value Data box and click Ok.
#17. Close the Registry Editor.
#18. Restart your computer and check if the HSTS settings are disabled in your browser or not.
Note: Subkey values for iexplore.exe are 0 and 1, where value 0 activates the feature, and 1 inactivates the feature.
HSTS settings are pivotal, and they help in enhancing your web security. So, don’t forget to apply the same when you are launching your website. This will boost your site security and enhance customer trust, conversions, ROI, and SEO.
Ensure that you have installed an SSL certificate from ClickSSL (a reputed SSL certificate provider). The same is configured properly before implementing HSTS settings to eliminate the chances of error.
Being a website visitor, disabling HSTS settings on your desired website is easy, but I would advise you to refrain from sharing any sensitive data on such HTTP sites.
There are ample benefits of HSTS as compared to the meagre browser errors which are displayed at times. So use HSTS and save your site from varied digital risks.
This article will help you resolve your errors irrespective of the browser whichever you are using.
Implementing the above-mentioned short and simple steps to clear and disable the respective browser HSTS settings will not only make your site error-free but will also give your visitors a continual browsing experience.