Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

How to Remove HSTS from URL Test Server Url in Browser?

  • 1 reply
  • 1 has this problem
  • 7 views
  • Last reply by cor-el

more options

I have a prod server (example.com) and local vbox vm test server (test.example.com), both running nextcloud. I am developing using Ubuntu Mozilla Firefox 89.0.2

The test server uses example.com, but has a domain alias test.example.com, that I use to differentiate between test and prod when working.

I accidentally added the following HSTS apache2 directive to my test server:

   <IfModule mod_headers.c>
     Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
   </IfModule>

The net result, is that I can't open the test nextcloud site and the prod nextcloud simultaneously in my browser because `test.example.com` will suddenly switch to `https://test.example.com` and lock me out.

I have researched and tried all multiple different methods to remove HSTS from test url, which are:

1.) The "Forget About This Website" method via the firefox browser history for both test.example.com and example.com

2.) I tried deleting "Site Preferences", using "Everything" as the time period, under Privacy & Security Settings (I went to the max and deleted cache, cookies, browser history, -everything-)

3.) I edited "SiteSecurityServiceState.txt" located in my browser profile folder.

4.) I also used about:config and switched `security.mixed_content.block_display_content` from "false" to "true"

5.) I also made the file `SiteSecurityServiceState.txt` as to to completely HSTS in the browser, yet the problem still persists. (even tried deleting it)

5.) Also, in my `/var/www/config/config.php` for nextcloud, I have also edited the trusted domains section as follows:

   'trusted_domains' =>
     array (
     0 => 'test.example.com',
       ),

All of this has failed to permanently correct the problem. I might be able to access test.example.com for a short period of time, but if prod server example.com is opened the problematic `https://test.example.com` returns.

And FYI, `https://hstspreload.org/?domain=example.com` still shows:

   Warning: Unnecessary HSTS header over HTTP
The HTTP page at http://example.com sends an HSTS header. This has no effect over HTTP, and should be removed.

Help :-/

I have a prod server (example.com) and local vbox vm test server (test.example.com), both running nextcloud. I am developing using Ubuntu Mozilla Firefox 89.0.2 The test server uses example.com, but has a domain alias test.example.com, that I use to differentiate between test and prod when working. I accidentally added the following HSTS apache2 directive to my test server: <IfModule mod_headers.c> Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains" </IfModule> The net result, is that I can't open the test nextcloud site and the prod nextcloud simultaneously in my browser because `test.example.com` will suddenly switch to `https://test.example.com` and lock me out. I have researched and tried all multiple different methods to remove HSTS from test url, which are: 1.) The "Forget About This Website" method via the firefox browser history for both test.example.com and example.com 2.) I tried deleting "Site Preferences", using "Everything" as the time period, under Privacy & Security Settings (I went to the max and deleted cache, cookies, browser history, -everything-) 3.) I edited "SiteSecurityServiceState.txt" located in my browser profile folder. 4.) I also used about:config and switched `security.mixed_content.block_display_content` from "false" to "true" 5.) I also made the file `SiteSecurityServiceState.txt` as to to completely HSTS in the browser, yet the problem still persists. (even tried deleting it) 5.) Also, in my `/var/www/config/config.php` for nextcloud, I have also edited the trusted domains section as follows: 'trusted_domains' => array ( 0 => 'test.example.com', ), All of this has failed to permanently correct the problem. I might be able to access test.example.com for a short period of time, but if prod server example.com is opened the problematic `https://test.example.com` returns. And FYI, `https://hstspreload.org/?domain=example.com` still shows: Warning: Unnecessary HSTS header over HTTP<br> The HTTP page at http://example.com sends an HSTS header. This has no effect over HTTP, and should be removed. Help :-/

All Replies (1)

more options

I would assume that this is a problem with the server that still send HSTS data.

You can possibly try to catch this via HTTP logging via the about:networking page.