How to Disable HSTS in Chrome & Firefox

Google Chrome

If you’re here because you’re looking for phrases like “HSTS Chrome disable,” “clear HSTS Chrome,” and “disable HSTS Firefox,” then we’ve got you covered. This post is all about clearing HSTS settings in Chrome and Firefox.

When you attempt to open a website, often you may come across error messages such as “Your connection is not private” or “Security risk ahead.” So you don’t have the ability to override these alerts. There may be several explanations for seeing these kinds of alerts, such as the website’s SSL/TLS certificate being self-signed, expired, withdrawn, etc. One of the explanations may be that site has allowed HSTS link.

To get rid of these bugs, you’d have to disable HSTS in Chrome or Firefox (if you’re using one of those browsers).

So, what is the HSTS link, and how you can disable HSTS in your browser? In this post, we’ll cover how to disable HSTS in Chrome and Firefox. We’ll also speak about some of the risks of whether you would want to rethink doing so.

What Is HSTS?

HSTS stands for HTTP tight transport security. It forces browsers to access websites with secure HTTPS connections only. (If you are not aware of how HTTP, HTTPS, and SSL/TLS certificates operate, scroll down to the last part of this article). So, if someone attempts to access a web page using HTTP, their browser will block the request and display the error message.

The way that website owners allow HSTS links on their websites is by including special code in the websites’ headers. HSTS prevents the website users from certain harmful cyber challenges such as SSL stripping and man-in-the-middle attacks. Just unlike any other SSL bug, users can’t skip the HSTS error pages by clicking on the “Advanced” tab and clicking on Proceed to anywebsite.com (unsafe) (unsafe).

But there are ways to disable HSTS in Chrome and Firefox by changing certain settings in the browsers. Through doing so, you are pushing the browsers to circumvent the website’s HSTS headers to navigate web pages using HTTP. However, this is a highly risky activity, and we don’t recommend it.

Through using HTTP instead of HTTPS, all the messages between you and the website would be in plaintext. This means that hackers can steal a number of your confidential information, including:

  • Bank account details,
  • Payment card numbers,
  • Social security number,
  • Health records,
  • Mobile number,
  • Physical address, and
  • Password credentials.

Having said that, if you do want to access the site and aren’t planning to enter some confidential details, you can disable HSTS in Chrome and Firefox by following the below steps.

How to Disable HSTS in Chrome 

To clear HSTS settings in the Chrome browser, do the following:

Step 1: Write chrome://net-internals/#hsts in the address bar

Step 2 (optional): If you want to check whether the website you are trying to reach has enabled HSTS, write the domain name (without HTTPS or HTTP) under the Query HSTS/PKP domain.

Step 3: Scroll down the page to the Delete domain security policies section. Type the website’s web address (for the site you’re trying to reach) in the field and hit Delete. Please make sure you write the domain name without HTTP:// or HTTPS://. (For example, amazon.com or www.amazon.com)

That’s it! This is all you need to disable HSTS in Chrome.

How to Manually Disable HSTS in Firefox For a Specific Website

Step 1: Open Firefox and hit Shift+ CTRL+ H (or Cmd + Shift + H on Mac) to open the History browser.

Step 2: Find the page for which you want to uninstall HSTS. You can do this by either picking the location from the list or by using the Search History function in the top-right corner.

Step 3: Right-click on the website and pick Forget About This Site.

Please note that this move will remove all the saved data (like passwords for auto login) from your cache for this website. For the improvements to take effect, you will need to exit and restart Firefox.

How to Change Browser Settings to Disable HSTS in Firefox  

Method 1 

Step 1: Write about: config in Firefox’s address bar.

Step 2: Click on click on the Accept the Risk and Continue button.

Step 3: Search HSTS in the search bar.

Steps 4: Double click on security.mixed_content.block_display_content and set it to true.

Method 2 

If the above tip doesn’t work, simply delete the site preference.

Step 1: Open the History tab from the library option.

Step 2: Click on Clear recent history.

Step 3: Select Everything in the time range toggle. And select Site preferences under the Data title. Click OK.

Step 4: Restart the browser.

The Basics: How HTTPS Works & Why Websites Prefer HSTS

HTTP stands for hypertext transfer protocol. By default, all the data exchanged between a website and its users travels through HTTP. But in HTTP, the data transmits in plaintext format. That means if a hacker intercepts your internet connection by hacking your router or public Wi-Fi ports, they can read, decode, and steal your sensitive data.

That’s why a more reliable communication platform, HTTPS, was created. HTTPS, which stands for hypertext transfer protocol secure, provides a secure, encrypted channel to transfer the data. Encryption involves converting the plaintext data into a nonsensical shape using a mathematical algorithm. No one may decipher and decode the encrypted text without the accompanying cryptographic key.

To allow HTTPS, the website owner installs an SSL/TLS certificate. After the download, the webmaster has to do 301 and 302 redirects to move all the web pages from HTTP to HTTPS. For eg, if I write http://sectigostore.com, it instantly redirects me to https://sectigostore.com. But sometimes, the redirects don’t function well, and the sites are only available via HTTP. Often businesses deliberately keep certain web pages on HTTP or keep them open on HTTP and HTTPS both.

Risks Associated With Using HTTP Instead of HTTPS

Accessing a website through HTTP is a dangerous activity. As we pointed out earlier, hackers will decrypt your link to read and steal confidential data in MitM attacks. Hackers also perform SSL/stripping attacks using a method called SSLstrip to compel browsers to load websites through the vulnerable HTTP link.

SSLstrip strips the link between a user and the server of its protected HTTPS protocol to deploy a man-in-the-middle attack. Whenever the user wants to open a website with HTTPS, the hacker intercepts the request and proceeds to create an HTTPS link between himself and the server instead. So, while the link between the website visitor and the hacker stays in HTTP, and the hacker and website’s server in HTTPS.

Here, the hacker serves as a bridge between the user and server. They will steal all the user data while it stays in plaintext in HTTP channel. But the server doesn’t get a hint about it as it is creating an HTTPS link from its end.

How HSTS Prevents Cyber Risks Associated with Using HTTP

HSTS was developed in response to an HTTPS vulnerability that was found by computer security researcher Moxie Marlinspike. With HSTS protocol, the website forces the browsers to open the website exclusively with HTTPS only. Hence, if anyone attempts to open a website with HTTP or tricks browsers into loading websites through HTTP, the HSTS protocol blocks those requests.

But the good (and bad, depending on your view) thing about HSTS is that it blocks all forms of HTTP requests. That means if a HSTS-enabled website’s SSL certificate is having problems, the browsers won’t encourage users to circumvent the error page with the usual tricks to get rid of “your connection is not private” or “Security risk ahead” page. But you can use the above mention tips to push your browsers to ignore the HSTS protocol.

Wrapping Up on How to Disable HSTS in Chrome and Firefox

HSTS plays an important role in computer management. In reality, the U.S. General Services Administration (GSA) declared in June 2020 that they plan to force all the .gov domains run on HTTPS and use HSTS for the same.

But as a website visitor, if you want to disable HSTS, all the popular browsers would encourage you to do so. Just make sure you don’t post some sensitive details on the web running on HTTP. Attackers will take that information to make you a victim of financial fraud or identity theft-related crimes.

Melina Richardson is a Cyber Security Enthusiast, Security Blogger, Technical Editor, Certified Ethical Hacker, Author at Cybers Guards & w-se. Previously, he worked as a security news reporter.