I had a Rails application with config.force_ssl = true
, but now I dont want SSL encryption, but my app is still redirecting to https. I read this is a HTTP Strict Transport Security problem on Apache. How can I disable it?
It's not a problem with Apache, but with the fact that Rails sends an HSTS header.
In Chrome, you can clear the HSTS state by going into about:net-internals
, as described in ImperialViolet: HSTS UI in Chrome. You may also have to clear the cache, since config.force_ssl = true
also uses a 301 (permanent) redirection.
In addition, according to this answer, you could also make your application send an STS header with max-age=0. In your controller:
response.headers["Strict-Transport-Security"] = 'max-age=0'