Avatar for Username

Pesquisar no site de suporte

Evite golpes de suporte. Nunca pedimos que você ligue ou envie uma mensagem de texto para um número de telefone, ou compartilhe informações pessoais. Denuncie atividades suspeitas usando a opção “Denunciar abuso”.

Learn More

Este tópico foi arquivado. Faça uma nova pergunta se precisa de ajuda.

How to Remove HSTS from URL Test Server Url in Browser?

  • 1 resposta
  • 1 tem este problema
  • 17 visualizações
  • Última resposta de cor-el

dragonsway
dragonsway
more options

I have a prod server (example.com) and local vbox vm test server (test.example.com), both running nextcloud. I am developing using Ubuntu Mozilla Firefox 89.0.2

The test server uses example.com, but has a domain alias test.example.com, that I use to differentiate between test and prod when working.

I accidentally added the following HSTS apache2 directive to my test server: 

   <IfModule mod_headers.c>
     Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
   </IfModule>

The net result, is that I can't open the test nextcloud site and the prod nextcloud simultaneously in my browser because `test.example.com` will suddenly switch to `https://test.example.com` and lock me out.

I have researched and tried all multiple different methods to remove HSTS from test url, which are:

1.) The "Forget About This Website" method via the firefox browser history for both test.example.com and example.com

2.) I tried deleting "Site Preferences", using "Everything" as the time period, under Privacy & Security Settings (I went to the max and deleted cache, cookies, browser history, -everything-)

3.) I edited "SiteSecurityServiceState.txt" located in my browser profile folder.

4.) I also used about:config and switched `security.mixed_content.block_display_content` from "false" to "true"

5.) I also made the file `SiteSecurityServiceState.txt` as to to completely HSTS in the browser, yet the problem still persists. (even tried deleting it)

5.) Also, in my `/var/www/config/config.php` for nextcloud, I have also edited the trusted domains section as follows: 

   'trusted_domains' =>
     array (
     0 => 'test.example.com',
       ),

All of this has failed to permanently correct the problem. I might be able to access test.example.com for a short period of time, but if prod server example.com is opened the problematic `https://test.example.com` returns.

And FYI, `https://hstspreload.org/?domain=example.com` still shows: 

   Warning: Unnecessary HSTS header over HTTP

   The HTTP page at http://example.com sends an HSTS header. This has no effect over HTTP,
   and should be removed.

Help :-/

I have a prod server (example.com) and local vbox vm test server (test.example.com), both running nextcloud. I am developing using Ubuntu Mozilla Firefox 89.0.2 The test server uses example.com, but has a domain alias test.example.com, that I use to differentiate between test and prod when working. I accidentally added the following HSTS apache2 directive to my test server: <IfModule mod_headers.c> Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains" </IfModule> The net result, is that I can't open the test nextcloud site and the prod nextcloud simultaneously in my browser because `test.example.com` will suddenly switch to `https://test.example.com` and lock me out. I have researched and tried all multiple different methods to remove HSTS from test url, which are: 1.) The "Forget About This Website" method via the firefox browser history for both test.example.com and example.com 2.) I tried deleting "Site Preferences", using "Everything" as the time period, under Privacy & Security Settings (I went to the max and deleted cache, cookies, browser history, -everything-) 3.) I edited "SiteSecurityServiceState.txt" located in my browser profile folder. 4.) I also used about:config and switched `security.mixed_content.block_display_content` from "false" to "true" 5.) I also made the file `SiteSecurityServiceState.txt` as to to completely HSTS in the browser, yet the problem still persists. (even tried deleting it) 5.) Also, in my `/var/www/config/config.php` for nextcloud, I have also edited the trusted domains section as follows: 'trusted_domains' => array ( 0 => 'test.example.com', ), All of this has failed to permanently correct the problem. I might be able to access test.example.com for a short period of time, but if prod server example.com is opened the problematic `https://test.example.com` returns. And FYI, `https://hstspreload.org/?domain=example.com` still shows: Warning: Unnecessary HSTS header over HTTP<br> The HTTP page at http://example.com sends an HSTS header. This has no effect over HTTP, and should be removed. Help :-/

Todas as respostas (1)

cor-el
cor-el
  • Moderator
  • Top 10 Contributor
more options

I would assume that this is a problem with the server that still send HSTS data.

You can possibly try to catch this via HTTP logging via the about:networking page.