How to Remove HSTS from URL Test Server Url in Browser?
I have a prod server (example.com) and local vbox vm test server (test.example.com), both running nextcloud. I am developing using Ubuntu Mozilla Firefox 89.0.2
The test server uses example.com, but has a domain alias test.example.com, that I use to differentiate between test and prod when working.
I accidentally added the following HSTS apache2 directive to my test server:
<IfModule mod_headers.c> Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains" </IfModule>
The net result, is that I can't open the test nextcloud site and the prod nextcloud simultaneously in my browser because `test.example.com` will suddenly switch to `https://test.example.com` and lock me out.
I have researched and tried all multiple different methods to remove HSTS from test url, which are:
1.) The "Forget About This Website" method via the firefox browser history for both test.example.com and example.com
2.) I tried deleting "Site Preferences", using "Everything" as the time period, under Privacy & Security Settings (I went to the max and deleted cache, cookies, browser history, -everything-)
3.) I edited "SiteSecurityServiceState.txt" located in my browser profile folder.
4.) I also used about:config and switched `security.mixed_content.block_display_content` from "false" to "true"
5.) I also made the file `SiteSecurityServiceState.txt` as to to completely HSTS in the browser, yet the problem still persists. (even tried deleting it)
5.) Also, in my `/var/www/config/config.php` for nextcloud, I have also edited the trusted domains section as follows:
'trusted_domains' => array ( 0 => 'test.example.com', ),
All of this has failed to permanently correct the problem. I might be able to access test.example.com for a short period of time, but if prod server example.com is opened the problematic `https://test.example.com` returns.
And FYI, `https://hstspreload.org/?domain=example.com` still shows:
Warning: Unnecessary HSTS header over HTTP
The HTTP page at http://example.com sends an HSTS header. This has no effect over HTTP, and should be removed.
Help :-/
All Replies (1)
I would assume that this is a problem with the server that still send HSTS data.
You can possibly try to catch this via HTTP logging via the about:networking page.