I look after an intranet site which is mandated by our security team to only allow https. This site is hosted on RHEL 6.x with Apache, and I am only listening on port 443, 80 is completely disabled, and even not allowed by iptables. Security have now further mandated that HSTS is implemented, one of the reasons being that clickthrough for invalid certificates would be disabled, hence stopping the ability of a rogue server being stood up and taking over. But, when I test this out, with the HSTS header in place, everything works as I would expect. However, when I then remove my organisations root certificate from the firefox cert store, I get the invalid certificate warning which I am able to click through. With the developer tools console open, I see the following message: Strict-Transport-Security: The connection to the site is untrustworthy, so the specified header was ignored. This is on FF 50.0 What gives? How do I get it to stop connections?