‘Clear or Disable HSTS for Chrome, Firefox and Internet Explorer’

Kamil AnwarUpdated on October 26, 2024
Kamil is a certified Systems Analyst

Improper setup of HTTP Strict Transport Security (HSTS) can block access to a site and trigger errors like NET::ERR_CERT_AUTHORITY_INVALID. These issues often lead users to clear or disable HSTS settings.

What is HSTS?

HSTS is a security feature that makes browsers use only secure HTTPS connections for certain websites, protecting against attacks like SSL stripping that downgrade connections to HTTP. However, if SSL/TLS certificates are misconfigured or expired, HSTS can cause errors like “Your connection is not private” and block access to websites without allowing a bypass.

If the site works on another browser or device, it’s likely an HSTS issue. Clearing or disabling HSTS can temporarily fix the error, but this reduces security.

1. Clear HSTS settings in Chrome

A problem with HSTS settings in Chrome typically results in a “Your connection is not private” error. By expanding the Advanced menu linked to this error, you might see a note about HSTS, such as “You cannot visit *website name* because the website uses HSTS. Network errors and attacks are usually temporary, so this page will probably work later.”

  1. Open Google Chrome and paste the following in the omnibar: 
    chrome://net-internals/#hsts

  2. Ensure the Domain Security Policy section is expanded. Use the Domain box (under Query HSTS/PKP domain) to enter the domain for which you’re trying to clear the HSTS settings. A list of values will appear.
  3. After the values appear, scroll down to Delete domain security policies. Enter the same domain name and click the Delete button to clear the HSTS settings.
  4. Restart Chrome and check if you can access the domain you cleared the HSTS settings for. If the issue was related to the HSTS settings, the website should now be accessible.

2. Clear or Disable HSTS settings in Firefox

Compared to Chrome, Firefox offers multiple ways to clear or disable HSTS settings. We will start with the automatic methods, but manual approaches are also included.

2.1. Clear the Settings by Forgetting the Website

  1. Open Firefox and close all open tabs and pop-ups.
  2. Press Ctrl + Shift + H (or Cmd + Shift + H on Mac) to open the Library menu.
  3. Search for the site you want to delete HSTS settings for. Use the search bar in the top-right corner to help.
  4. Once you find the website, right-click on it and select Forget About this Site. This will clear the HSTS settings and other cached data for this domain.
  5. Restart Firefox and check if the issue is resolved. If it was an HSTS issue, you should now be able to access the website normally.

If this method wasn’t effective or you’re looking to clear the HSTS settings without clearing the rest of your cached data, move to the other methods below.

2.2 Clear HSTS by Clearing Site Preferences

  1. Open Firefox, click the Library icon, and select History > Clear Recent History.
  2. In the Clear All History window, set the Time range to clear drop-down menu to Everything.
  3. Expand the Details menu and uncheck every option except for Site Preferences.
  4. Click the Clear Now button to remove all site preferences, including HSTS settings.
  5. Restart Firefox to check if the issue has been resolved at the next startup.

2.3. Clear the HSTS settings by editing the user profile

  1. Close Firefox completely, including all pop-ups and tray icons.
  2. Go to your Firefox user profile location. Here are possible paths: 
    C:\Users\*YourUsername*\AppData\Local\Mozilla\Firefox\Profiles

C:\Users\*YourUsername*\AppData\Roaming\Mozilla\Firefox\Profiles

/Users/*YourUsername*/Library/Application Support/Firefox/Profiles - Mac

    Note: You can find your user profile by typing “about:support” in the navigation bar and pressing Enter. Under Application Basics, find the Profile Folder and click Open Folder. Ensure Firefox is fully closed after accessing.

  3. In the Profile Folder, open SiteSecurityServiceState.txt with a text editor. This file holds cached HSTS and HPKP settings.
  4. To clear HSTS settings for a domain, delete the entire entry, and save the .txt document. Be cautious not to remove other information, as the format is disorganized. Example of an HSTS entry: 
    appual.disqus.com:HSTS 0 17750 1533629194689,1,1,2

    Note: You can rename the file from .txt to .bak to keep the original, forcing Firefox to create a new file and clear existing HSTS settings.

  5. After deleting the entry and saving the file, close SiteSecurityServiceState.txt and restart Firefox to check if the issue is resolved.

2.4. Disable HSTS from inside the Firefox Browser

  1. Open Firefox and type “about:config” in the address bar. Click the I accept the risk! button to access the Advanced settings menu.
  2. In the search bar at the top-right corner, type “hsts” to find the relevant settings.
  3. Double-click security.mixed_content.use_hstsc to toggle the setting and disable HSTS in Firefox.

3. Clearing or Disabling HSTS settings in Internet Explorer

HSTS is a key security feature and is enabled by default in both Internet Explorer and Microsoft Edge. While it’s generally advised not to disable HSTS in these browsers, you can disable it in Internet Explorer if necessary.

Note: The procedure is longer if you have an x64-based system than if you have an x86-based system.

  1. Open a Run box by pressing Windows key + R. Type regedit and press Enter to launch the Registry Editor.
  2. Navigate to the following path: 
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl
  3. Right-click FeatureControl, select New > Key, and name it FEATURE_DISABLE_HSTS.
  4. Right-click FEATURE_DISABLE_HSTS, choose New > DWORD (32-bit) Value.
  5. Name it iexplore.exe and press Enter.
  6. Right-click on iexplore.exe, select Modify, set the Value data to 1, and click OK.
    Note: For x86 systems, save and reboot to apply changes. For x64 systems, continue below.
  7. Go to: 
    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl
  8. Repeat the steps to create FEATURE_DISABLE_HSTS and iexplore.exe as before.
  9. Double-click iexplore.exe, change the Value data to 1, and click OK.
  10. Reboot your computer to apply the changes and check if HSTS is disabled in Internet Explorer.
Kamil AnwarUpdated on October 26, 2024
Kamil is a certified Systems Analyst
ABOUT THE AUTHOR
Photo of Kamil Anwar

Kamil Anwar


Kamil is a certified MCITP, CCNA (W), CCNA (S) and a former British Computer Society Member with over 9 years of experience Configuring, Deploying and Managing Switches, Firewalls and Domain Controllers also an old-school still active on FreeNode.

Comments

26
    RX
    RxDxPx Mar 19, 2019

    disable on IE doesn’t work, at least on windows10

    Reply
    GZ
    Gioser Zamora May 11, 2019

    It doesn’t works on windows 8.1 and IE 11.

    Reply
      SW
      Shane Warren Author May 16, 2019

      The easiest way to remove this is to temporarily change the max-age to 0 on your server and then visit the site. This will reset it and then you can set it again properly.
      There are certain browsers that don’t support this feature and the only way to resolve this is by doing the above method.

      Reply
    NA
    Nate Aug 12, 2019

    disabling hsts doesn’t work on firefox

    Reply
      SW
      Shane Warren Author Sep 5, 2019

      There are several methods, which one did you try?

      Reply
    DB
    Dre B Oct 14, 2019

    It works on chrome but i have to do it every time i try to access the website

    Reply
      SW
      Shane Warren Author Oct 17, 2019

      Sad to hear that, for which site are you getting the error? or is it for a couple of sites.

      Reply
        DB
        Dre B Oct 17, 2019

        It a local Host website, not external

        Reply
          SW
          Shane Warren Author Oct 19, 2019

          Seems like you are left without any other option, Unfortunately, you will have to do it everytime.

      AR
      Argon2000 Mar 5, 2020

      I have the same Issue, but not when browsing from Incognito mode.

      Reply
        SW
        Shane Warren Author Mar 6, 2020

        Might be an extension that is messing up, First clear your history and cache completely and after that, disable all extensions and check if that fixes the issue.

        Reply
          AR
          Argon2000 Mar 6, 2020

          No it was acctually the standard DotNet core WebAPI project that added “app.UseHsts();” as default in Startup.cs. After commenting out that line and publishing the project again, the problem no longer occurs.

    YK
    yogesh kumar Nov 3, 2020

    dont do any think just login into inconginto mode it will work fine

    Reply
    YK
    yogesh kumar Nov 3, 2020

    simple login inconginto mode in chrome it will work

    Reply
    KM
    Kyle Mathers Feb 18, 2021

    I tried it. Doesn’t work

    Reply
      MZ
      Muhammad Zubyan Author Feb 19, 2021

      Here, try this:-

      https://appuals.com/fix-google-chrome-error-neterr_cert_invalid/

      Reply
    JA
    jamtrax Aug 5, 2021

    When you’re at the error page in Chrome, simply type thisisunsafe on your keyboard

    Reply
      QU
      qube Aug 18, 2021

      Ty, this worked!

      Reply
      JT
      John Turner Nov 12, 2021

      wow – worked! Nothing else would – not even the steps in the blog post

      Reply
        MZ
        Muhammad Zubyan Author Nov 13, 2021

        Thank you so much for your input! We will add this to our blog as well.

        Reply
      DS
      don snead May 26, 2022

      bruh

      Reply
      DJ
      Dragan Jovanović Jul 18, 2022

      HOLY SHIT I CAN’T BELIEVE THIS AJKHKLAHKJHAKJHKJAJKAHJAH ITS ACTUALLY TRUE

      Reply
    SH
    Shonun Oct 23, 2021

    Your method as described for Chrome (at least) is domain specific. However, with this problem occurring very often now, notably increasing about two weeks ago (per a number of other forum comments and it matches my experience), it’s not practicable to stop and use the chrome://net-internals/#hsts command each time to modify a single domain. Is there not a more generalized approach, i.e. to affect a change in Chrome settings? Perhaps this would defeat the purpose of HSTS, but I’m not having any issues with Firefox as my alternate browser. In most cases, the warning I receive is simply NET::ERR_CERT_DATE_INVALID even though my PC date/time/timezone are correct and it’s set for automatic sync with the Internet.

    Reply
      MZ
      Muhammad Zubyan Author Oct 23, 2021

      Try this:-https://appuals.com/fix-goo…

      Reply
    BM
    bmlgm Oct 28, 2021

    No longer works for Firefox, no such about:config setting is exposed. I just became an Edge user apparently.

    Reply
    KS
    kskwin Sep 1, 2022

    How this can be done automatically & periodically.

    Reply