Avatar for Username

Zoeken in Support

Vermijd ondersteuningsscams. We zullen u nooit vragen een telefoonnummer te bellen, er een sms naar te sturen of persoonlijke gegevens te delen. Meld verdachte activiteit met de optie ‘Misbruik melden’.

Meer info

Deze conversatie is gearchiveerd. Stel een nieuwe vraag als u hulp nodig hebt.

How to Remove HSTS from URL Test Server Url in Browser?

  • 1 antwoord
  • 1 heeft dit probleem
  • 1 weergave
  • Laatste antwoord van cor-el

dragonsway
dragonsway
more options

I have a prod server (example.com) and local vbox vm test server (test.example.com), both running nextcloud. I am developing using Ubuntu Mozilla Firefox 89.0.2

The test server uses example.com, but has a domain alias test.example.com, that I use to differentiate between test and prod when working.

I accidentally added the following HSTS apache2 directive to my test server: 

   <IfModule mod_headers.c>
     Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
   </IfModule>

The net result, is that I can't open the test nextcloud site and the prod nextcloud simultaneously in my browser because `test.example.com` will suddenly switch to `https://test.example.com` and lock me out.

I have researched and tried all multiple different methods to remove HSTS from test url, which are:

1.) The "Forget About This Website" method via the firefox browser history for both test.example.com and example.com

2.) I tried deleting "Site Preferences", using "Everything" as the time period, under Privacy & Security Settings (I went to the max and deleted cache, cookies, browser history, -everything-)

3.) I edited "SiteSecurityServiceState.txt" located in my browser profile folder.

4.) I also used about:config and switched `security.mixed_content.block_display_content` from "false" to "true"

5.) I also made the file `SiteSecurityServiceState.txt` as to to completely HSTS in the browser, yet the problem still persists. (even tried deleting it)

5.) Also, in my `/var/www/config/config.php` for nextcloud, I have also edited the trusted domains section as follows: 

   'trusted_domains' =>
     array (
     0 => 'test.example.com',
       ),

All of this has failed to permanently correct the problem. I might be able to access test.example.com for a short period of time, but if prod server example.com is opened the problematic `https://test.example.com` returns.

And FYI, `https://hstspreload.org/?domain=example.com` still shows: 

   Warning: Unnecessary HSTS header over HTTP

   The HTTP page at http://example.com sends an HSTS header. This has no effect over HTTP,
   and should be removed.

Help :-/

I have a prod server (example.com) and local vbox vm test server (test.example.com), both running nextcloud. I am developing using Ubuntu Mozilla Firefox 89.0.2 The test server uses example.com, but has a domain alias test.example.com, that I use to differentiate between test and prod when working. I accidentally added the following HSTS apache2 directive to my test server: <IfModule mod_headers.c> Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains" </IfModule> The net result, is that I can't open the test nextcloud site and the prod nextcloud simultaneously in my browser because `test.example.com` will suddenly switch to `https://test.example.com` and lock me out. I have researched and tried all multiple different methods to remove HSTS from test url, which are: 1.) The "Forget About This Website" method via the firefox browser history for both test.example.com and example.com 2.) I tried deleting "Site Preferences", using "Everything" as the time period, under Privacy & Security Settings (I went to the max and deleted cache, cookies, browser history, -everything-) 3.) I edited "SiteSecurityServiceState.txt" located in my browser profile folder. 4.) I also used about:config and switched `security.mixed_content.block_display_content` from "false" to "true" 5.) I also made the file `SiteSecurityServiceState.txt` as to to completely HSTS in the browser, yet the problem still persists. (even tried deleting it) 5.) Also, in my `/var/www/config/config.php` for nextcloud, I have also edited the trusted domains section as follows: 'trusted_domains' => array ( 0 => 'test.example.com', ), All of this has failed to permanently correct the problem. I might be able to access test.example.com for a short period of time, but if prod server example.com is opened the problematic `https://test.example.com` returns. And FYI, `https://hstspreload.org/?domain=example.com` still shows: Warning: Unnecessary HSTS header over HTTP<br> The HTTP page at http://example.com sends an HSTS header. This has no effect over HTTP, and should be removed. Help :-/

Alle antwoorden (1)

cor-el
cor-el
  • Moderator
  • Top 10 Contributor
more options

I would assume that this is a problem with the server that still send HSTS data.

You can possibly try to catch this via HTTP logging via the about:networking page.