HTTP Strict Transport Security aka HSTS – is a web security policy mechanism (specified in RFC 6797) which helps to protect websites against protocol downgrade attacks and cookie hijacking; in a nutshell, it allows web servers to declare that web browsers (or other complying user agents) should only interact with them using secure HTTPS connections and never via the insecure HTTP protocol.
Think about it as a HTTP-to-HTTPS permanent redirect, which gets injected in your browser with the following Strict-Transport-Security HTTP Header value. Here’s a quick example:
As you can see, the above header would instruct the browser to allow only HTTPS requests for that domain for the next year (max-age is specified in seconds; 31,536,000 is equal to one non-leap year).
HSTS is an effective countermeasure for man-in-the-middle attacks and is one of the most important HTTP Security Headers that any decent publicly-facing web site should be equipped with: if you want to know more about these headers – and/or require instructions on how to implement them in Nginx, Apache and/or IIS – I strongly suggest to read this post.
In this article I will talk about a very specific issue that might happen when using HSTS on a HTTPS-enabled website which gets the SSL certificate removed, thus reverting back to HTTP. This can happen for a number of reasons, such as when the website gets transferred to a different host / hostname – together with the SSL certificate or by issuing a new one – while leaving the old instance online… OR, if the System Administrator – you or something else – messes things up during the configuration.
When something like this happens, you might end up with the folllowing error given by your browser(s):
Privacy error: Your connection is not private (NET::ERR_CERT_AUTHORITY_INVALID)
Luckily enough, such issue can be easily fixed by clearing the HSTS cache/status for a specific web site. Here’s how to do that in Google Chrome and Mozilla Firefox:
Google Chrome (or Chromium)
- Close all open/active tabs.
- Type chrome://net-internals/#hsts into the address bar to access the network internals page.
- Type the domain name into the Query Domain text field and click the corresponding button to check if there are settings present for your domain.
- If so enter the same domain in the Delete Domain text field and click the button beside it.
- If you now check again with the Query Domain field you should be getting Not found as answer, meaning that the HSTS settings for that entry have been deleted.
- Close all open/active tabs
- Open your browser settings and go to History > Show complete history
- Search for the page you want to delete the HSTS settings for and right-click on it
- Select Forget About This Site to get rid of the HSTS cached settings. Notice that doing this will also remove everything saved locally in your browser including cookies, saved passwords etc. for that domain.