How to disable HTTP Strict Transport Security?

It's not a problem with Apache, but with the fact that Rails sends an HSTS header.

In Chrome, you can clear the HSTS state by going into about:net-internals, as described in ImperialViolet: HSTS UI in Chrome. You may also have to clear the cache, since config.force_ssl = true also uses a 301 (permanent) redirection.

In addition, according to this answer, you could also make your application send an STS header with max-age=0. In your controller:

response.headers["Strict-Transport-Security"] = 'max-age=0'

Just wanted to point out @Bruno's answer and @JoeVanDyk's suggestions are true and can be applied beyond the context of Rails/Apache. I'm using PHP and Nginx. PHP has nothing to do with it in my case, but here's the steps with Nginx:

//sorry here's the nginx.conf part first, can't figure out how to mix multi-line //code with an ordered listserver {   #...   #change:   # add_header  Strict-Transport-Security "max-age=315360000; includeSubdomains";        #to:   add_header  Strict-Transport-Security "max-age=0;";   #...}

1. clear your "browser history". To clarify on @JoeVanDyk's suggestion , I think you need to clear "browsing history" because clearing the cache didn't work for me (tested on Chrome/Firefox, please add comments if you know more).

2. nginx.conf file (see code above)

3. restart server

   root@ip-xxx-xxx-xxx:~# /etc/init.d/nginx restart.

After this, you can revert the nginx add_header Strict.. command to what you previously had. Just make sure you repeat steps 1-3 again.

I found I couldn't delete an HSTS entry in Chrome as I was using an IP address for development. I couldn't seem to get chrome://net-internals/#hsts to delete the entry. I found that Chrome stores the entries in ../AppData/local/Google/Chrome/User Data/Default/TransportSecurity so I just deleted the file. It of course removes all HSTS requests, but I suspect they will be rebuilt over time.