Jason Parms

A User’s Guide to HSTS and how to easily clear or disable HSTS settings on your browsers – Chrome, Firefox and Internet Explorer.

For the most part, the creation of HSTS has been welcomed by developers and everyday users, due to its ability to strengthen online security measures. HSTS provides an additional level of security that better protects your website from being hacked and reduces the risk of your personal data being corrupted. However, the implementation of HSTS can occasionally cause browser errors in certain cases. This is an issue that can easily be resolved through the effective clearing of HSTS settings on most major browsers.

What is HSTS?

HSTS stands for HTTP Strict Transport Security. It enables browsers to forge better connections via HTTPS and at the same time, limits HTTP connections that will inevitably be less secure. HSTS is advantageous as it prevents both cookies hijacking and protocol downgrade interference.

HSTS was originally created in response to an increase in SSL Strip attacks. These attacks were prone to inhibiting HTTPS connections and causing a downgrade to more vulnerable HTTP connections. HSTS works as a security measure by transmitting a policy to a web page’s header. This then forces a browser to create a secure HTTPS connection when a person visits a website.

Should I implement HSTS on my website?

It is strongly advised that you implement HSTS settings on your website. HSTS settings will bolster your site’s security and protect your personal data. Even if you have a trusted SSL Certificate, online hackers can still potentially exploit your site.

If you choose not to implement HSTS settings on your website, you are increasing the likelihood that your stored information will be tarnished through cyber-attacks. By not utilizing HSTS, it’s as though you have a protective gate surrounding your website; but with an open front door. You’re essentially inviting hackers inside your site.  You can add “include subdomains” and “preload” in header.

What to consider before implementing HSTS?

Prior to implementing HSTS settings on your website, it’s important to consider several points before you’re able to include the relevant header:

  • First things first, you need to have already successfully installed an SSL Certificate on your website.
  • If you possess sub domains, it is essential that you use a wildcard. This will further protect each of your domains.
  • Make use of 301 Redirects. These will act to reroute all HTTP pages to HTTPS pages.
  • Based on information from Google, it’s advised that you set a maximum age of two years.
  • Finally, be sure to implement both Sub Domain and Preload headers. Keep in mind that simply adding preload is not an effective means of getting on an HSTS preload list.

How to clear or disable HSTS in different browsers?

Here’s a common scenario that is sure to have you scratching your head: You’re attempting to visit a website when suddenly you see the message,

  • “Privacy error: Your connection is not private” (NET::ERR_CERT_AUTHORITY_INVALID)

If you encounter this rather perplexing message, firstly open a different type of browser and see if you can access the website without the same message being displayed. If you can, this means that there is most likely an issue with the configuration of the original browser’s HSTS settings.

You then have two options: You can either clear the HSTS settings or disable HSTS from your web browser.

Clearing HSTS in Chrome

When there is an issue with your HSTS settings in Chrome, you will most often encounter an error message such as “Your connection is not private”. Within the advanced menu of this error message, there would likely be an explicit mention of HSTS settings. You can delete the HSTS cache from your Chrome browser by implementing the following steps:

  • Open Google Chrome
  • Search for chrome://net-internals/#hsts in your address bar.
  • Locate the Query HSTS/PKP domain field and enter the domain name that you wish to delete HSTS settings for.clear HSTS settings in chrome
  • Finally, enter the domain name in the Delete domain security policies and simply press the Delete button.

Congratulations! You’ve officially cleared HSTS settings in Chrome.

Clearing HSTS in Firefox

Whilst there are several methods for clearing or disabling HSTS in Firefox, the most straightforward approach is as follows:

  • Start by closing any open windows.
  • Next, open your browsing history by clicking Ctrl + Shift + H.
  • Navigate your way to the site that your wish to clear the HSTS settings.
  • Right click on the site and click on Forget About This Site. Be mindful that this will clear all data of the site that is currently in Firefox.

clear HSTS in firefox

And that’s as easy as it is! HSTS settings have now been cleared in Firefox.

Clearing HSTS in Internet Explorer

  • To open Registry Editor on your PC, open Run box and type “regedit” and hit Enter.
  • Now, browse the following registry subkey:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\
  • Now, on Edit menu, browse to New and click on Key. Type FEATURE_DISABLE_HSTS and press Enter.
  • Click on FEATURE_DISABLE_HSTS.
  • Again, on Edit menu, click on New and click on DWORD value.
  • Type iexplore.exe.
  • Browse Edit menu and click Modify. In the Value data box, type 1 and click Ok to save the changes.
  • Browse the following registry subkey:
    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\
  • On Edit menu, click on New and click Key.
  • You need to type FEATURE_DISABLE_HSTS and hit Enter.
  • Click on FEATURE_DISABLE_HSTS.
  • On Edit menu, browse New and click on DWORD value then, Type iexplore.exe.
  • Again, Click on Edit menu and click Modify.
  • You need to enter value in Value data box, type 1 and hit Ok.
  • Finally, exit from Registry Editor.

Note: Values for the iexplore.exe subkey are 0 and 1. A value of 1 inactivates the feature, and 0 activates the feature.

Conclusion

As you’ve witnessed, HSTS settings provide you with enhanced website security. If you’re developing your own website, it is strongly recommended that you boost your online security by applying HSTS. Before you go ahead and implement HSTS, keep in mind that you will need to have first installed a reputable SSL Certificate.

Whilst HSTS offers a range of benefits, the downside can be the occasional browser error. If this occurs, it only takes a few short steps to clear and disable HSTS. Once this done, you’ll be able to get back to business and enjoy an uninterrupted browsing experience.