-
Notifications
You must be signed in to change notification settings - Fork 16
HSTS
All modern web browsers have a feature, which automatically enables HTTPS-only connection support for particular sites. It is called HTTP Strict Transport Security (HSTS).
HSTS is implemented in all browsers since ~2010. They have HSTS Preload List, and User HSTS List. Both lists configure on which domains insecure HTTP connection must be prohibited and HTTPS must be used anyway.
The Preload list is bundled with browser and is updating only with the browser updates. The User HSTS List is filling while user surfs Internet. Servers which want to be included to HSTS List are sending Strict-Transport-Security
header in responses, and a HSTS-supporting browser adds the domain to the HSTS List. Google is indexing such sites, and then including them to HSTS Preload List. Most of browsers are using the Google's HSTS Preload List.
If you're attempting to open a site through WebOne Proxy, but the web browser forces to open it via HTTPS bypassing the proxy (even if you're exactly typing http://
in address bar), and the browser is from 2010 or newer, the HSTS is hindering. So need to disable it or made an exception.
The latest Presto-based release of Opera have the HSTS support. To disable it, open opera:config
, Security Prefs
, and uncheck Strict Transport Security support
. Then click Save
and restart browser.
Some Opera 12.xx versions have bug, which hinders for complete HSTS disable on long-time used profile. In such cases, it is need to make a clean Opera profile, and disable "Strict Transport Security support" before any site open.
Similar to Chromium-like browsers.
Since fourth Firefox release, HSTS was included in harder to disable manner from start. In modern releases, the disabling is more difficulty. No one should be able to fight against security technologies, as Mozilla (and Google) decided.
This also related to SeaMonkey 2.x, K-Meleon, Pale Moon, Basilisk, Serpent and all other Gecko-based browsers.
- Methods 1: https://security.stackexchange.com/questions/102279/can-hsts-be-disabled-in-firefox
- Methods 2: https://stackoverflow.com/questions/30532471/firefox-redirects-to-https
This works in any Firefox versions from 2010s and probably 2020s.
- Close all Mozilla Firefox windows.
- Open your profile folder.
- Find file called
SiteSecurityServiceState.txt
and remove it.- Also you may edit it (it's a simple text file) and remove line about need site.
- Run Mozilla Firefox, and open History (Ctrl+H).
- Right click on interesting site, and click "Forget About This Site".
- Restart Mozilla Firefox.
- If the problematic site is not present in HSTS Preload List, it will open via plain HTTP now.
- Open problematic sites only through WebOne, as it strips HSTS-related headers to prevent including in any lists.
This does not always works, but sometimes would help. Seems that this was introduced in ~2015 releases of Firefox.
- Open about:config.
- Set
network.stricttransportsecurity.preloadlist
tofalse
. - Restart Firefox.
- Probably, HSTS Preload List will be not used, an sites will open over plain HTTP.
Also sometimes may work:
-
browser.fixup.fallback-to-https
=false
-
dom.security.https_first
=false
(Firefox 100+, non private windows only) -
dom.security.https_first_pbm
tofalse
(Firefox 100+, private windows only)
Chromium 4.0 and newer have similar to Firefox support for HSTS. Also you cannot fully bypass it. But it's possible to remove some sites from User HSTS List.
- Navigate to
chrome://net-internals/#hsts
. - In
Query HSTS/PKP domain
field you may try to find if it actually the domain present in any HSTS lists. - Use
Delete domain security policies
field to remove the domain from User HSTS List. Chromium does not allows to alter or bypass HSTS Preload List. It is a paranoiac browser.
This is same (or almost same) for all other forked browsers: Google Chrome, Opera 15.0+, Microsoft Edge 79.0+, Yandex Browser, Nichrome, Amigo, etc.
In all Windows 10 builds and since KB3058515 update in older systems, MSIE 11 got HSTS support.
HSTS can be disabled via Registry Editor:
- Open
regedit
. - Create a key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_HSTS\iexplore.exe
with DWORD value1
. - (64-bit only systems) Create a key
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_HSTS\iexplore.exe
with DWORD value1
. - Consider restart MSIE or reboot Windows.
Seems that there is no support to disable HSTS in Edge 12.0-44.0. What else expect from browser from 2015?
Similar to Chromium-like browsers.
Edge 79+ have GPO for HSTS bypass list: https://admx.help/?Category=EdgeChromium&Policy=Microsoft.Policies.Edge::HSTSPolicyBypassList
Registry Hive HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER
Registry Path Software\Policies\Microsoft\Edge\HSTSPolicyBypassList
Value Name {number}
Value Type REG_SZ
Default Value
Hostnames specified in this list will be exempt from the HSTS policy check that could potentially upgrade requests from "http://" to "https://". Only single-label hostnames are allowed in this policy. Hostnames must be canonicalized. Any IDNs must be converted to their A-label format, and all ASCII letters must be lowercase. This policy only applies to the specific hostnames specified; it doesn't apply to subdomains of the names in the list.
- Release Archive
- Websites edits / Syntax of traffic edits
- Known bugs / Report a new bug
- Windows installation
- Linux installation
- macOS installation
- Android installation
- Configuration file
- Command line arguments
Usage:
- Installing the Root Certificate
- YouTube playback
- Using with ViewTube
- Using with virtual machines
- Using with FTP servers
- Using with MSN Messenger
Web standards timeline:
Troubleshooting guides:
Developer corner: