问题
I have following setup:
The application https://app.domain.de is our production environment and is automatically forwarded to use HTTPS. All works fine here. On top, there are several development versions of the application for our QA-Team accessible via http://develop.app.domain.de (no HTTPS needed here).
The problem begins here: As soon as I visit https://app.domain.de Chrome (and I guess also other browers) forwards http://develop.app.domain.de (no HTTPS) also to https://develop.app.domain.de (HTTPS). I can of course disable HSTS and clear the cache for this domain and http://develop.app.domain.de will work again, but only until I visit https://app.domain.de again.
I cannot enable HTTPS for our development environments as you need to have at least a Hobby Plan in Heroku to do so and that would therefore a waste of money for all our development and test versions of the application. I would also like to keep the url schema.
So my questions is how can I disable this nasty forwarding (HSTS) permanently?
回答1:
You can type thisisunsafe anywhere on the Google Chrome warning page and it will load it without warning. No joke.
回答2:
HSTS is not "nasty" - it's a security feature. And one that your domain has voluntarily chosen to activate!
You can remove includeSubDomains option from production so it's only applied to the top level domain and not subdomains, providing you have not submitted it to be preloaded into web browsers (please tell me you didn't preload it without fully understand what that entailed! - you can check this by running your main domain through the SSL Labs testing tool).
However, the world is moving towards HTTPS everywhere and your development environments do not reflect production. Some features (HTTP/2, Geolocation... etc.) will only work when using HTTPS and this list is growing. Also depending how you develop and reference resources you might start seeing mixed content warnings or missing content once you deploy to production. So in my opinion you DO need HTTPS in your development/QA environments. While I do not know your platform, you really are better figuring out how to set up HTTPS on your dev environments rather than trying to work around this. Self-signed certificates can be created for free and made to be trusted in your test environment so they are indistinguishable from real certificates to a select number of users.
回答3:
On the main domain, you can remove the includesubdomains option of your HSTS header, so it will not redirect the sub domain.
However, this is not the most secure solution. To be effective, it's better to set HSTS+includesubdomains on all your domains and subdomains (or an attacker car fake the domain "http://secure.yourdomain.com" for example).
So the most secure solution is to use a self-signed certificate (or a real one) for your dev domains and import it before in your browsers.
来源:https://stackoverflow.com/questions/44650854/how-to-disable-chrome-hsts-permanently-for-a-subdomain