Working way to clear HSTS flag in Firefox and Chrome set with PRELOAD

Question

I develop web page which had HSTS turned on. Now I want to get rid of it. There's plenty howtos on internet except non of them works for me.

I tried

https://msutexas.edu/library/clearhsts.php#chrome-hdg-0
http://classically.me/blogs/how-clear-hsts-settings-major-browsers/

Mozilla forums (lots of pain) and others

In firefox: I did forget about the site. I cleaned whole history.

In chrome I tried with new profile, I tried chrome://net-internals/#hsts, but there is note about preloaded entries:

I understand motivation for HSTS, but right now I need it gone.

EDIT:

I tried everything and nothing worked. I checked that my site is not sending any HSTS headers(used empty nginx). As last resort I used live linux to boot fresh and and i got HSTS again.

So obviously, there must be a list of HSTS sites shared among browsers and then i finally found https://hstspreload.org/ which explain a lot.

My my site got HSTS injected from cloudflare.com proxy. I don't remember how I set the preload flag, but its there. Now I can only access the site with 'thisisinsecure' from chrome.

Importing self signed certificate is not working. I generated one with correct common name and Firefox still says 'The certificate is not trusted because it is self-signed.' It should be trusted, because i generated it. At least the choice should be mine.

setting max-age=0 did not work, I think because the certificate itself is not trusted

I'll try to import Certificate Autority

Answer 1

It seems this SO answer has what you need - at least for Google Chrome.

Your issue is that your site, it seems, is sending Strict-Transport-Security headers, which will be cached.

Alternatively, you can alter the site you are developing for and add a max-age directive of 0 to your HSTS header, such that the header is immediately expired. This will remove the header from the cache of any browsers visiting the site. You would then remove the header from your solution to permanently disable it.

EDIT: It seems Chrome now has a nice UI for this, allowing you to check and remove items from the HSTS cache - enter chrome://net-internals/#hsts into your browser

Firefox has a different method, you will need to

• Close all instance of Firefox, and open a new Firefox window
• Open the History view
• Right-click the site from the list of items and click Forget About This Site - this should clear the HSTS settings (and other cache data) for that domain
• Restart Firefox and visit the site

Edit 2: If this does not work, you can remove the HSTS keyfile as described in this post - key instructions repeated below

Manual Method for Firefox

Start by locating your Firefox profile folder through your operating system’s file explorer. You can find this folder through Firefox by navigating to about:support

Halfway down the page, in the Application Basics section, you will see Profile Folder. Click Open Folder.

Now close Firefox so that the browser does not overwrite any settings we are about to change.

In your Profile folder find and open the file SiteSecurityServiceState.txt. This file contains cached HSTS and HPKP (Key Pinning, a separate HTTPS mechanism) settings for domains you have visited. It may be very disorganized. Search for the domain you want to clear the HSTS settings for and delete it from the file. Each entry begins with the domain name. Delete the entirety of the entry from the beginning of the desired domain name to the next listed domain.

As an alternative, you can rename the existing file from a .txt to a .bak (in order to save the existing file, just in case) and allow Firefox to create an entirely new file on next start up.