Avatar for Username

Vyhľadajte odpoveď

Vyhnite sa podvodom s podporou. Nikdy vás nebudeme žiadať, aby ste zavolali alebo poslali SMS na telefónne číslo alebo zdieľali osobné informácie. Nahláste prosím podozrivú aktivitu použitím voľby “Nahlásiť zneužitie”.

Learn More

Táto téma bola archivovaná. Ak potrebujete pomôcť, založte prosím novú otázku.

How to Remove HSTS from URL Test Server Url in Browser?

  • 1 odpoveď
  • 1 má tento problém
  • 21 zobrazení
  • Posledná odpoveď od cor-el

dragonsway
dragonsway
more options

I have a prod server (example.com) and local vbox vm test server (test.example.com), both running nextcloud. I am developing using Ubuntu Mozilla Firefox 89.0.2

The test server uses example.com, but has a domain alias test.example.com, that I use to differentiate between test and prod when working.

I accidentally added the following HSTS apache2 directive to my test server: 

   <IfModule mod_headers.c>
     Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
   </IfModule>

The net result, is that I can't open the test nextcloud site and the prod nextcloud simultaneously in my browser because `test.example.com` will suddenly switch to `https://test.example.com` and lock me out.

I have researched and tried all multiple different methods to remove HSTS from test url, which are:

1.) The "Forget About This Website" method via the firefox browser history for both test.example.com and example.com

2.) I tried deleting "Site Preferences", using "Everything" as the time period, under Privacy & Security Settings (I went to the max and deleted cache, cookies, browser history, -everything-)

3.) I edited "SiteSecurityServiceState.txt" located in my browser profile folder.

4.) I also used about:config and switched `security.mixed_content.block_display_content` from "false" to "true"

5.) I also made the file `SiteSecurityServiceState.txt` as to to completely HSTS in the browser, yet the problem still persists. (even tried deleting it)

5.) Also, in my `/var/www/config/config.php` for nextcloud, I have also edited the trusted domains section as follows: 

   'trusted_domains' =>
     array (
     0 => 'test.example.com',
       ),

All of this has failed to permanently correct the problem. I might be able to access test.example.com for a short period of time, but if prod server example.com is opened the problematic `https://test.example.com` returns.

And FYI, `https://hstspreload.org/?domain=example.com` still shows: 

   Warning: Unnecessary HSTS header over HTTP

   The HTTP page at http://example.com sends an HSTS header. This has no effect over HTTP,
   and should be removed.

Help :-/

I have a prod server (example.com) and local vbox vm test server (test.example.com), both running nextcloud. I am developing using Ubuntu Mozilla Firefox 89.0.2 The test server uses example.com, but has a domain alias test.example.com, that I use to differentiate between test and prod when working. I accidentally added the following HSTS apache2 directive to my test server: <IfModule mod_headers.c> Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains" </IfModule> The net result, is that I can't open the test nextcloud site and the prod nextcloud simultaneously in my browser because `test.example.com` will suddenly switch to `https://test.example.com` and lock me out. I have researched and tried all multiple different methods to remove HSTS from test url, which are: 1.) The "Forget About This Website" method via the firefox browser history for both test.example.com and example.com 2.) I tried deleting "Site Preferences", using "Everything" as the time period, under Privacy & Security Settings (I went to the max and deleted cache, cookies, browser history, -everything-) 3.) I edited "SiteSecurityServiceState.txt" located in my browser profile folder. 4.) I also used about:config and switched `security.mixed_content.block_display_content` from "false" to "true" 5.) I also made the file `SiteSecurityServiceState.txt` as to to completely HSTS in the browser, yet the problem still persists. (even tried deleting it) 5.) Also, in my `/var/www/config/config.php` for nextcloud, I have also edited the trusted domains section as follows: 'trusted_domains' => array ( 0 => 'test.example.com', ), All of this has failed to permanently correct the problem. I might be able to access test.example.com for a short period of time, but if prod server example.com is opened the problematic `https://test.example.com` returns. And FYI, `https://hstspreload.org/?domain=example.com` still shows: Warning: Unnecessary HSTS header over HTTP<br> The HTTP page at http://example.com sends an HSTS header. This has no effect over HTTP, and should be removed. Help :-/

Všetky odpovede (1)

cor-el
cor-el
  • Moderator
  • Top 10 Contributor
more options

I would assume that this is a problem with the server that still send HSTS data.

You can possibly try to catch this via HTTP logging via the about:networking page.