hsts

I've changed a site to https and have set up a redirect in .htaccess. But I've also set Strict Transport Security. Are both necessary or useful? <IfModule mod_headers.c> Header always set Strict-Transport-Security "max-age=16070400" </IfModule> <IfModule mod_rewrite.c> RewriteEngine on RewriteCond %{HTTPS} off RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L] </IfModule> Cheers A redirect tells people who enter http://www.example.com to go to https://www.example.com . Since the default is http, if you leave off the protocol and just type www.example.com then you will go to http://www

This is a followup question to Google Chrome redirecting localhost to https . Does anyone know, how to permanently exclude localhost from HSTS list in Google Chrome? Or, any other elegant solution that wouldn't require developer to visit chrome://net-internals/#hsts and delete localhost every time when switching from working on an HTTPS project to a different project on HTTP? Update: You can install a proper SSL certificate for those domains if you want to for free, so you won't need to mess around with HSTS. Take a look here . You may edit your system's hosts file: On Windows: C:\Windows

I had a Rails application with config.force_ssl = true , but now I dont want SSL encryption, but my app is still redirecting to https. I read this is a HTTP Strict Transport Security problem on Apache. How can I disable it? Bruno It's not a problem with Apache, but with the fact that Rails sends an HSTS header. In Chrome, you can clear the HSTS state by going into about:net-internals , as described in ImperialViolet: HSTS UI in Chrome . You may also have to clear the cache, since config.force_ssl = true also uses a 301 (permanent) redirection. In addition, according to this answer , you could