How to disable HTTP Strict Transport Security?
It's not a problem with Apache, but with the fact that Rails sends an HSTS header.
In Chrome, you can clear the HSTS state by going into about:net-internals
, as described in ImperialViolet: HSTS UI in Chrome. You may also have to clear the cache, since config.force_ssl = true
also uses a 301 (permanent) redirection.
In addition, according to this answer, you could also make your application send an STS header with max-age=0. In your controller:
response.headers["Strict-Transport-Security"] = 'max-age=0'
Just wanted to point out @Bruno's answer and @JoeVanDyk's suggestions are true and can be applied beyond the context of Rails/Apache. I'm using PHP and Nginx. PHP has nothing to do with it in my case, but here's the steps with Nginx:
//sorry here's the nginx.conf part first, can't figure out how to mix multi-line //code with an ordered listserver { #... #change: # add_header Strict-Transport-Security "max-age=315360000; includeSubdomains"; #to: add_header Strict-Transport-Security "max-age=0;"; #...}
clear your "browser history". To clarify on @JoeVanDyk's suggestion , I think you need to clear "browsing history" because clearing the cache didn't work for me (tested on Chrome/Firefox, please add comments if you know more).
nginx.conf file (see code above)
restart server
root@ip-xxx-xxx-xxx:~# /etc/init.d/nginx restart
.
After this, you can revert the nginx add_header Strict..
command to what you previously had. Just make sure you repeat steps 1-3 again.
I found I couldn't delete an HSTS entry in Chrome as I was using an IP address for development. I couldn't seem to get chrome://net-internals/#hsts
to delete the entry. I found that Chrome stores the entries in ../AppData/local/Google/Chrome/User Data/Default/TransportSecurity so I just deleted the file. It of course removes all HSTS requests, but I suspect they will be rebuilt over time.