Skip to content
Alexander Tauenis edited this page Jan 14, 2023 · 1 revision

All modern web browsers have a feature, which automatically enables HTTPS-only connection support for particular sites. It is called HTTP Strict Transport Security (HSTS).

HSTS is implemented in all browsers since ~2010. They have HSTS Preload List, and User HSTS List. Both lists configure on which domains insecure HTTP connection must be prohibited and HTTPS must be used anyway.

The Preload list is bundled with browser and is updating only with the browser updates. The User HSTS List is filling while user surfs Internet. Servers which want to be included to HSTS List are sending Strict-Transport-Security header in responses, and a HSTS-supporting browser adds the domain to the HSTS List. Google is indexing such sites, and then including them to HSTS Preload List. Most of browsers are using the Google's HSTS Preload List.

If you're attempting to open a site through WebOne Proxy, but the web browser forces to open it via HTTPS bypassing the proxy (even if you're exactly typing http:// in address bar), and the browser is from 2010 or newer, the HSTS is hindering. So need to disable it or made an exception.

Opera 12.0

The latest Presto-based release of Opera have the HSTS support. To disable it, open opera:config, Security Prefs, and uncheck Strict Transport Security support. Then click Save and restart browser.

Some Opera 12.xx versions have bug, which hinders for complete HSTS disable on long-time used profile. In such cases, it is need to make a clean Opera profile, and disable "Strict Transport Security support" before any site open.

Opera 15.0

Similar to Chromium-like browsers.

Mozilla Firefox 4.0+

Since fourth Firefox release, HSTS was included in harder to disable manner from start. In modern releases, the disabling is more difficulty. No one should be able to fight against security technologies, as Mozilla (and Google) decided.

This also related to SeaMonkey 2.x, K-Meleon, Pale Moon, Basilisk, Serpent and all other Gecko-based browsers.

Clear HSTS user list

This works in any Firefox versions from 2010s and probably 2020s.

  1. Close all Mozilla Firefox windows.
  2. Open your profile folder.
  3. Find file called SiteSecurityServiceState.txt and remove it.
    • Also you may edit it (it's a simple text file) and remove line about need site.
  4. Run Mozilla Firefox, and open History (Ctrl+H).
  5. Right click on interesting site, and click "Forget About This Site".
  6. Restart Mozilla Firefox.
  7. If the problematic site is not present in HSTS Preload List, it will open via plain HTTP now.
  8. Open problematic sites only through WebOne, as it strips HSTS-related headers to prevent including in any lists.

Disable HSTS at all

This does not always works, but sometimes would help. Seems that this was introduced in ~2015 releases of Firefox.

  1. Open about:config.
  2. Set network.stricttransportsecurity.preloadlist to false.
  3. Restart Firefox.
  4. Probably, HSTS Preload List will be not used, an sites will open over plain HTTP.

Also sometimes may work:

  • browser.fixup.fallback-to-https = false
  • dom.security.https_first = false (Firefox 100+, non private windows only)
  • dom.security.https_first_pbm to false (Firefox 100+, private windows only)

Chromium (and similar)

Chromium 4.0 and newer have similar to Firefox support for HSTS. Also you cannot fully bypass it. But it's possible to remove some sites from User HSTS List.

  1. Navigate to chrome://net-internals/#hsts.
  2. In Query HSTS/PKP domain field you may try to find if it actually the domain present in any HSTS lists.
  3. Use Delete domain security policies field to remove the domain from User HSTS List. Chromium does not allows to alter or bypass HSTS Preload List. It is a paranoiac browser.

This is same (or almost same) for all other forked browsers: Google Chrome, Opera 15.0+, Microsoft Edge 79.0+, Yandex Browser, Nichrome, Amigo, etc.

Microsoft Internet Explorer 11

In all Windows 10 builds and since KB3058515 update in older systems, MSIE 11 got HSTS support.

HSTS can be disabled via Registry Editor:

  1. Open regedit.
  2. Create a key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_HSTS\iexplore.exe with DWORD value 1.
  3. (64-bit only systems) Create a key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_HSTS\iexplore.exe with DWORD value 1.
  4. Consider restart MSIE or reboot Windows.

Microsoft Edge (original)

Seems that there is no support to disable HSTS in Edge 12.0-44.0. What else expect from browser from 2015?

Microsoft Edge (Chromium)

Similar to Chromium-like browsers.

Edge 79+ have GPO for HSTS bypass list: https://admx.help/?Category=EdgeChromium&Policy=Microsoft.Policies.Edge::HSTSPolicyBypassList

Registry Hive	HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER
Registry Path	Software\Policies\Microsoft\Edge\HSTSPolicyBypassList
Value Name	{number}
Value Type	REG_SZ
Default Value	

Hostnames specified in this list will be exempt from the HSTS policy check that could potentially upgrade requests from "http://" to "https://". Only single-label hostnames are allowed in this policy. Hostnames must be canonicalized. Any IDNs must be converted to their A-label format, and all ASCII letters must be lowercase. This policy only applies to the specific hostnames specified; it doesn't apply to subdomains of the names in the list.

Clone this wiki locally