How to disable Chrome HSTS permanently for a subdomain

前端 未结 3 2060
情书的邮戳
情书的邮戳 2021-02-01 06:27

I have following setup:

The application https://app.domain.de is our production environment and is automatically forwarded to use HTTPS. All works fine here

相关标签:
3条回答
  • 2021-02-01 06:43

    You can type thisisunsafe anywhere on the Google Chrome warning page and it will load it without warning. No joke.

    0 讨论(0)
  • 2021-02-01 06:46

    On the main domain, you can remove the includesubdomains option of your HSTS header, so it will not redirect the sub domain.

    However, this is not the most secure solution. To be effective, it's better to set HSTS+includesubdomains on all your domains and subdomains (or an attacker car fake the domain "http://secure.yourdomain.com" for example).

    So the most secure solution is to use a self-signed certificate (or a real one) for your dev domains and import it before in your browsers.

    0 讨论(0)
  • 2021-02-01 06:54

    HSTS is not "nasty" - it's a security feature. And one that your domain has voluntarily chosen to activate!

    You can remove includeSubDomains option from production so it's only applied to the top level domain and not subdomains, providing you have not submitted it to be preloaded into web browsers (please tell me you didn't preload it without fully understand what that entailed! - you can check this by running your main domain through the SSL Labs testing tool).

    However, the world is moving towards HTTPS everywhere and your development environments do not reflect production. Some features (HTTP/2, Geolocation... etc.) will only work when using HTTPS and this list is growing. Also depending how you develop and reference resources you might start seeing mixed content warnings or missing content once you deploy to production. So in my opinion you DO need HTTPS in your development/QA environments. While I do not know your platform, you really are better figuring out how to set up HTTPS on your dev environments rather than trying to work around this. Self-signed certificates can be created for free and made to be trusted in your test environment so they are indistinguishable from real certificates to a select number of users.

    0 讨论(0)
提交回复
热议问题