We have a domain with HSTS and HPKP enabled and working. For a few reasons, we would like to disable it, not immediately, but as soon as key expires. This means that the site would remain accessible through HTTPS, as it is now, but without the HSTS abd HPKP mechanisms.
What steps should we take to do this smoothly?
Best Answer
Just stop adding HPKP(Public-Key-Pins) and HSTS(Strict-Transport-Security) headers to the answers, and after the biggest
max-agevalue of either of these will expire (meaning no client will remember any longer that your site had these enabled), your site will be free of both HPKP and HSTS.Also keep in mind that if you had
max-agefor HPKP bigger than your current certificate remaining lifetime, you will still need to use the backup key for certificate renewal, or the clients still remebering your backup key hash will think that something nasty is happening on the certificate replacement/renewal.But it's a really weird intention - while the Web is moving to a more secure state, you wish to move in the opposite direction.