How to disable Chrome HSTS permanently for a subdomain

Question

I have following setup:

The application https://app.domain.de is our production environment and is automatically forwarded to use HTTPS. All works fine here

Answer 1

HSTS is not "nasty" - it's a security feature. And one that your domain has voluntarily chosen to activate!

You can remove includeSubDomains option from production so it's only applied to the top level domain and not subdomains, providing you have not submitted it to be preloaded into web browsers (please tell me you didn't preload it without fully understand what that entailed! - you can check this by running your main domain through the SSL Labs testing tool).

However, the world is moving towards HTTPS everywhere and your development environments do not reflect production. Some features (HTTP/2, Geolocation... etc.) will only work when using HTTPS and this list is growing. Also depending how you develop and reference resources you might start seeing mixed content warnings or missing content once you deploy to production. So in my opinion you DO need HTTPS in your development/QA environments. While I do not know your platform, you really are better figuring out how to set up HTTPS on your dev environments rather than trying to work around this. Self-signed certificates can be created for free and made to be trusted in your test environment so they are indistinguishable from real certificates to a select number of users.