How to disable Chrome HSTS permanently for a subdomain

chillyistkult picture chillyistkult · Jun 20, 2017 · Viewed 23.2k times · Source

I have following setup:

The application https://app.domain.de is our production environment and is automatically forwarded to use HTTPS. All works fine here. On top, there are several development versions of the application for our QA-Team accessible via http://develop.app.domain.de (no HTTPS needed here).

The problem begins here: As soon as I visit https://app.domain.de Chrome (and I guess also other browers) forwards http://develop.app.domain.de (no HTTPS) also to https://develop.app.domain.de (HTTPS). I can of course disable HSTS and clear the cache for this domain and http://develop.app.domain.de will work again, but only until I visit https://app.domain.de again.

I cannot enable HTTPS for our development environments as you need to have at least a Hobby Plan in Heroku to do so and that would therefore a waste of money for all our development and test versions of the application. I would also like to keep the url schema.

So my questions is how can I disable this nasty forwarding (HSTS) permanently?

Answer

stdclass picture stdclass · Mar 6, 2018

You can type thisisunsafe anywhere on the Google Chrome warning page and it will load it without warning. No joke.