For all of its security advantages, you can easily lock yourself out of a website if you manage to configure the HSTS settings improperly. Browser errors such as NET::ERR_CERT_AUTHORITY_INVALID are the number one reason why users search for a way to get around HSTS by either clearing the HSTS settings or by disabling them.
What is HSTS?
HSTS (HTTP Strict Transport Security) is a web security mechanism that helps browsers establish connections via HTTPS and limit insecure HTTP connections. The HSTS mechanism was mostly developed to tackle SSL Strip attacks capable of downgrading secure HTTPS connections to less secure HTTP connections.
However, some HSTS settings will cause browser errors that will make your browsing experience a lot less enjoyable. Here’s a Chrome error that is often triggered by an improper HSTS configuration:
“Privacy error: Your connection is not private” (NET::ERR_CERT_AUTHORITY_INVALID)
If you are receiving a privacy error when trying to visit a particular website and the same site is accessible from another browser or device, there’s a strong chance that you have a problem with how the HSTS settings are configured. If that’s the case, the solution would be to either clear or disable HSTS for your web browser.
Below you have a collection of guides that will help you clear or disable your HSTS settings. Please follow the guides associated with your particular browser and feel free to follow whichever solution is most applicable to your particular scenario.
Clearing HSTS settings in Chrome
A problem with the HSTS settings in Chrome will usually display a “Your connection is not private” type error in Chrome. If you were to expand the Advanced menu (associated with the error) you’ll likely see a small mention about HSTS ( “You cannot visit *website name* because the website uses HSTS. Network errors and attacks are usually temporary, so this page will probably work later.“)
If you’re experiencing the same behavior, follow the steps down below to delete the HSTS cache from your Chrome browser:
- Open Google Chrome and paste the following in the omnibar.
- Make sure the Domain Security Policy is expanded, then use the Domain box (under Query HSTS/PKP domain) to enter to the domain that you’re trying to clear the HSTS settings for. You will be returned a list of values.
- Once the values are returned, scroll down to Delete domain security policies. enter the same domain name and click the Delete button to clear the HSTS settings.
- Restart Chrome and see if you are able to access the domain that you previously cleared the HSTS settings for. If the issue was related to the HSTS settings, the website should be accessible.
Clearing or Disabling HSTS settings in Firefox
When compared to Chrome, Firefox has multiple ways of clearing or disabling the HSTS settings. We are going to start with the automatic methods first but we also included a couple of manual approaches.
Method 1: Clearing the Settings by Forgetting the Website
- Open Firefox and make sure every open tab or pop-up is closed.
- Press Ctrl + Shift + H (or Cmd + Shift + H on Mac) to open the Library menu.
- Search for the site that you wish to delete the HSTS settings for. You can make it easier for yourself by using the search bar in the top-right corner.
- Once you manage to find the website you’re trying to clear the HSTS settings for, right-click on it and select Forget About this Site. This will clear the HSTS settings and other cached data for this particular domain.
- Restart Firefox and see if the issue has been resolved. If this was an HSTS issue, you should now be able to browse the website normally.
If this method wasn’t effective or you’re looking for a way to clear the HSTS settings without clearing the rest of your cached data, move over to the other methods below.
Method 2: Clearing HSTS by clearing Site Preferences
- Open Firefox, click the Library icon and select History > Clear Recent History.
- In the Clear All History window, set the Time range to clear drop-down menu to Everything.
- Next, expand the Details menu and uncheck every option except for Site Preferences.
- Click the Clear Now button to clear all site preferences including the HSTS settings.
- Reboot Firefox and see if the issue has been resolved at the next startup.
Method 3: Clearing the HSTS settings by editing the user profile
- Close Firefox completely and all associated pop-ups and tray icons.
- Navigate to the location of the user profile of your Firefox. Here’s a list with potential locations:
C:\ Users*\ AppData \ Local \ Mozilla \ Firefox \ Profiles C:\ Users* \ AppData \ Roaming \ Mozilla \ Firefox \ Profiles / Users / * /Library / Application Support / Firefox / Profiles - Mac
Note: You can also locate your user profile by pasting “about:support” in the navigation bar at the top and hitting Enter. You will find the Profile Folder location under Application Basics. Simply Click on Open Folder to get to the Profile Folder. But once you do so, make sure you close Firefox completely.
- In the Profile Folder of Firefox, open SiteSecurityServiceState.txt in any text editor program. This file contains cached HSTS and HPKP (Key Pinning) settings for domains that you have previously visited.
- To clear the HSTS settings for a particular domain, simply delete the entire entry and save the .txt document. Keep in mind that the format is messy, so be careful not to delete information from other entries. Here’s an example of an HSTS listing:
appual.disqus.com:HSTS 0 17750 1533629194689,1,1,2
Note: You can also rename the entire file from .txt to .bak in order to keep the existing file just in case. This will force Firefox to create e new file and start from scratch, eliminating any HSTS settings that you previously saved.
- With the entry deleted and the file saved, close SiteSecurityServiceState.txt and restart Firefox to see if the issue has been resolved.
Method 4: Disable HSTS from inside the Firefox Browser
- Launch Firefox and type “about:config” in the address bar at the top. Next, click on I accept the risk! button to enter the Advanced settings menu.
- Search for “hsts” using the search bar in the top-right corner of the screen.
- Double-click on security.mixed_content.use_hstsc to toggle the setting in order to Disable HSTS on Firefox.
Clearing or Disabling HSTS settings in Internet Explorer
Since it’s an important security improvement, HSTS is enabled by default on both Internet Explorer and Microsoft Edge. Although it’s not recommended to disable HSTS inside Microsoft’s browsers, you can turn the feature off for Internet Explorer. Here’s a quick guide on how to do this via Registry Editor:
Note: Keep in mind that the procedure is longer if you have an x64-based system than if you have an x86-based system.
- Press Windows key + R to open up a Run box. Then, type “regedit” and hit Enter to open Registry Editor.
- Using the left-pane of Registry Editor, navigate to the following registry subkey:
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Internet Explorer \ Main \ FeatureControl
- Right-click on FeatureControl and choose New > Key. Name it FEATURE_DISABLE_HSTS and press Enter to create the new key.
- Right-click on FEATURE_DISABLE_HSTS and choose New > DWORD (32-bit) value.
- Name the newly created DWORD to iexplore.exe and hit Enter to Confirm.
- Right-click on iexplore.exe and choose Modify. In the Value data box, type 1 and click Ok to save the changes.
Note: If you’re on an x86-based system, you can save the changes, reboot your computer and see if the method has been successful. If you’re doing this on an x64-based system, continue with the next steps below.
- Use the left pane again to navigate to the following registry subkey:
HKEY_LOCAL_MACHINE \ SOFTWARE \ Wow6432Node \ Microsoft \ Internet Explorer \ Main \ FeatureControl \
- Right-click on FeatureControl and choose New > Key, name it FEATURE_DISABLE_HSTS and hit Enter to save the changes.
- Right-click on FEATURE_DISABLE_HSTS and choose New > DWORD (32-bit) value and name it iexplore.exe.
- Double-click on iexplore.exe and change the Value data box to 1 and hit Ok to save the changes.
- Reboot your computer and see if the HSTS settings have been disabled for Internet Explorer at the next startup.