Delete HSTS Settings

Note that these instructions are mainly useful for developers who were testing HSTS and now need to delete the settings. For a website you do not control, deleting your browser’s local HSTS settings will not help if the website is still serving an HSTS header as your browser will simply save the settings again on each visit/refresh.

In Chrome you may see the error “NET::ERR_CERT_COMMON_NAME_INVALID.” If you click “Advanced” in Chrome the error message will include “You cannot visit domain.com right now because the website uses HSTS.” That will confirm the error is HSTS-related. On localhost you may see the error “This site can’t provide a secure connection.”

In Firefox the interstitial page will read: “This site uses HTTP Strict Transport Security (HSTS) to specify that Firefox may only connect to it securely. As a result, it is not possible to add an exception for this certificate.”

If you have determined the error is due to cached HSTS settings, follow the following instructions to resolve the error:

How to Delete HSTS Settings in Chrome:

 

  1. Navigate to chrome://net-internals/#hsts

This is Chrome’s UI for managing your browser’s local HSTS settings.

  1. First, to confirm the domain’s HSTS settings are recorded by Chrome, type the hostname into the Query Domain section at the bottom of the page. Click Query.If the Query box returns Found with settings information below, the domain’s HSTS settings are saved in your browser.

HSTS Settings Chrome

Note that this is a very sensitive search. Only enter the hostname, such as www.example.com or example.com without a protocol or path.

  1. Type the same hostname into the Delete domain section and click

Your browser will no longer force an HTTPS connection for that site! You can test if its working properly by refreshing or navigating to the page.

Note that depending on the HSTS settings provided by the site, you may need to specify the proper subdomain. For example, the HSTS settings for staging.yoursite.com may be separate from yoursite.comso you may need to repeat the steps as appropriate.

How to Delete HSTS Settings in Firefox:

We will cover two different methods for deleting HSTS settings in Firefox. The first method should work in most cases – but we also included a manual option if needed.

  1. Close all open tabs in Firefox.
  2. Open the full History window with the keyboard shortcut Ctrl + Shift + H (Cmd + Shift + H on Mac). You must use this window or the sidebar for the below options to be available.
  3. Find the site you want to delete the HSTS settings for – you can search for the site at the upper right if needed.
  4. Right-click the site from the list of items and click Forget About This Site.This should clear the HSTS settings (and other cache data) for that domain.
  5. Restart Firefox and visit the site. You should now be able to visit the site over HTTP/broken HTTPS.If these instructions did not work, you can try the following manual method:

Manual Method for Firefox
If the above steps do not work, you can try the following method.

Start by locating your Firefox profile folder through your operating system’s file explorer. You can find this folder through Firefox by navigating to about:support

Halfway down the page, in the Application Basics section, you will see Profile Folder. Click Open Folder.

Now close Firefox so that the browser does not overwrite any settings we are about to change.

In your Profile folder find and open the file SiteSecurityServiceState.txt. This file contains cached HSTS and HPKP (Key Pinning, a separate HTTPS mechanism) settings for domains you have visited. It may be very disorganized.

Search for the domain you want to clear the HSTS settings for and delete it from the file. Each entry beings with the domain name. Delete the entirety of the entry from the beginning of the desired domain name to the next listed domain. As an alternative, you can rename the existing file from a .txt to a .bak (in order to save the existing file, just in case) and allow Firefox to create an entirely new file on next start up.

Here is an example of a simple HSTS listing:

www.thesslstore.com:HSTS          0               17312   1527362896190,1,0

As mentioned, the formatting for this file can be messy. Below is a sample from my profile. Each domain’s settings are shown in a unique color to make separation clear. In this case, part of the settings for the previous domain appear the beginning in red:

1527363079029,1,0www.thesslstore.com:HSTS                                  0               17312
1527362896190,1,0scotthelme.co.uk:HPKP       0               17312 1498419087277,1,1,9dNiZZueNZmyaf3pTkXxDgOzLkjKvI+Nza0ACF5IDwg=X3pGTSOuJeEVw989IJ/cEtXUEmy52zs1TZQrU06KUKg=V+J+7lHvE6X0pqGKVqLtxuvk+0f+xowyr3obtq8tbSw=9lBW+k9EF6yyG9413/fPiHhQy5Ok4UI5sBpBTuOaa/U=ipMu2Xu72A086/35thucbjLfrPaSjuw4HIjSWsxqkb8=+5JdLySIa9rS6xJM+2KHN9CatGKln78GjnDpf4WmI3g=MWfCxyqG2b5RBmYFQuLllhQvYZ3mjZghXTRn9BL9q10=
api.github.com:HSTS       0               17312   1527362865303,1,1

Did you enjoy this article?
Share the love
Get free updates