What is HSTS?

HTTP Strict Transport Security or HSTS is a web safety mechanism that only allows websites to be accessed through secure connections. This mechanism demands browsers use HTTPS (Hypertext Transfer Protocol Secure) when it comes to exchanging data.

The strict safety mechanism can make a website more secure since only HTTPS connections are allowed to enter it. On the other hand, you will be unable to access it through HTTP. The strict mechanism is also capable of protecting websites from downgrade attacks and cookie hijacking.

The Pros of HSTS

HTTP Strict Transport Security is primarily used to secure a website during the process of exchanging data. By activating it, you can make sure that every connection that enters your server uses HTTPS.

Other than that, the strict mechanism can prevent threats like downgrade attacks or SSL stripping. This technique can allow hackers to position themselves between HTTPS and HTTP while bridging the data exchange connection that occurs.

If your site uses HTTP Strict Transport Security that forces every user to access it through HTTPS, then hackers will not be able to take down your site with a downgrade attack.

The Cons of HSTS

Even though HTTP Strict Transport Security can secure your website, there are certain conditions in which it can create a problem to the point that it must be removed. 

HTTP Strict Transport Security will give you problems, such as expired SSL, errors in certificates, and many more. Such issues can prevent browsers from accessing HTTPS. As a result, the strict mechanism makes the users unable to visit the site instead.

How HTTP Strict Transport Security Works

HTTP Strict Transport Security mechanism works by applying redirect 301 from the HTTP site to the HTTPS site. Websites that apply the mechanism will use the code Strict-Transport-Security: max-age=expireTime; includeSubDomains; preload in their headers.

Such a method will require browsers to ask for a request through HTTPS. Once the request goes through, then the data exchange process can continue.

As an example, when a user types a domain http://example.com, then the website will automatically do a redirect 301 to the domain https://example.com.

How to Deactivate HSTS

If your website encounters SSL problems and you wish to turn off the HTTP Strict Transport Security mechanism, then you do not have to worry. Here are ways to deactivate it easily:

Apple Safari

1. Close the Safari browser first.
2. Delete the file ~/Library/Cookies/HSTS.plist on the directory Home.
3. Reopen the browser and you will find HTTP Strict Transport Security is successfully deactivated.

Google Chrome

1. In the browser’s URL box, type chrome://net-internals/#hsts.
2. Scroll downward, then enter the URL without the protocol in the column ‘delete domain security policies’. Then, press the ‘delete’ button.
3. Enter the URL without the protocol in the column ‘query HSTS/PKP’. After that, click ‘query’.
4. If you see the notification ‘not found’ on the screen, then the safety mechanism has been successfully deactivated.

Mozilla Firefox

1. Open the History setting on the browser.
2. Find the website you want to remove by typing the domain in the search box.
3. Once you find it, right click and choose the option ‘forget about this site’.
4. Restart your browser and the safety mechanism will be successfully deactivated.