How to disable HTTP Strict Transport Security?

Question

I had a Rails application with config.force_ssl = true, but now I dont want SSL encryption, but my app is still redirecting to https. I read this is a HTTP Stri

Answer 1

Figured id offer a bit of thought on this. Setting cache time to 0 is a best bet and if you turn it off you need to leave it at 0 for weeks to clear out clients browsers. If you just need to clear HSTS in chrome (for your own browser) you can use chrome://net-internals/#hsts in the address bar to clear the cache for your site at your specific browser. Combined with the below "doorway" it becomes useful.

You can set temporary HSTS modes by setting/spoofing a custom header => key. Basically if a special request header exists, and it matches a key, set HSTS with a cache time of whatever you need. This would allow you to turn on or shut off HSTS for all traffic but you. Useful for trying HSTS out before you globally enable (to make sure all assets are loading). Also useful if you wanna temporarily clear out client cache while something is repaired (leaving you room for test).