Ssl – Ignore HSTS in browser for a subdomain

hstshttpslocalhostssl

[copied from https://stackoverflow.com/questions/39937837/]

I've got my DNS set up to point local.example.com to 127.0.0.1. This is so that I can share cookies between the live site and my dev environment.

With HSTS activated on the live site, my browser automatically tries to access the local site at https://local.example.com/
which doesn't work as my dev server doesn't support SSL (I've tried serving at port 443).

Is there a way to instruct my browser (Chromium) to ignore HSTS?

(From what I've read, the includeSubDomains is very important to avoid cookie hijack attacks – basically I only want to include the subdomain exception for myself).

Best Answer

I'm not really sure if this of help in your specific situation (and you're aware of this "solution"), but one possible way would be to clear the browser HSTS cache. Maybe it's also possible to map this to a special key (combination), which would make it more easy to invoke it.

Here is how to do it with Chromium:

  1. Close all open tabs related to the page experiencing the issue.
  2. In a new tab type chrome://net-internals/#hsts.
  3. Locate the section header "Query Domain", enter the domain which is experiencing the issue in the text field next to "Domain:" and press the button labeled Query.
  4. Any domains that appear beneath the search query box will need to be deleted.
  5. Locate the section header "Delete Domain", enter the domain which is experiencing the issue in the text field next to "Domain:" and press the button labeled Delete.
  6. Repeat step 3 through 5 until the results of the query in step 3 state "Not Found".
  7. Close the browser and then re-open it, your issue should now be resolved.

Additional note: This only works if your domain isn't part of the HSTS preloaded list.

Related Topic