Unset or Expire HSTS Policy on Apache Server
I set this line in a ssl vhost on my server. I am running Apache 2.x
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
This was a major mistake, because now I want to remove it and force users back to http pages sometimes. It was not enabled for very long, but I don't want to lose anyone. If I try to force users back to http pages right now they end up in a redirect loop.
How can I unset or expire HSTS using settings on the server so that when users do visit the site and hit the https version of the site the Strict-Transport-Security setting is removed from their browser and they are able to be redirected to http?
I already know I made a dumb mistake. I learned a lesson and just need to clean it up now.
Answer
Figured it out:
NOTE: A max-age value of zero (i.e., "max-age=0") signals the UA to cease regarding the host as a Known HSTS Host, including the includeSubDomains directive (if asserted for that HSTS Host). See also Section 8.1 ("Strict-Transport-Security Response Header Field Processing").
From the RFC 6797 document.
So, I will just set the following line and leave it for a few months before removing it.
Header always set Strict-Transport-Security "max-age=0; includeSubDomains"