How to disable HTTP Strict Transport Security?

ruby-on-rails apache ssl https hsts
Phifo picture Phifo · May 17, 2012 · Viewed 50.5k times · Source

I had a Rails application with config.force_ssl = true, but now I dont want SSL encryption, but my app is still redirecting to https. I read this is a HTTP Strict Transport Security problem on Apache. How can I disable it?

Answer

Bruno picture Bruno · May 17, 2012

It's not a problem with Apache, but with the fact that Rails sends an HSTS header.

In Chrome, you can clear the HSTS state by going into about:net-internals, as described in ImperialViolet: HSTS UI in Chrome. You may also have to clear the cache, since config.force_ssl = true also uses a 301 (permanent) redirection.

In addition, according to this answer, you could also make your application send an STS header with max-age=0. In your controller:

response.headers["Strict-Transport-Security"] = 'max-age=0'

Related questions

Ruby on Rails Server options

The whole issue of setting up a development server for my Ruby on Rails application confuses me. There are WEBrick, Mongrel, Passenger, Apache, Nginx and many more I am sure, and I don't really understand the different roles they play. …

Read More
We're sorry, but something went wrong. - with Rails, Apache, Passenger

I have Rails 3.2.3 with Apache and Passenger. I have a project working in development mode. When I switch the project to production mode (Passenger standard) it gives me an HTTP Error 500: We're sorry, but something went wrong. This happens even …

Read More
How to prevent browser page caching in Rails

Ubuntu -> Apache -> Phusion Passenger -> Rails 2.3 The main part of my site reacts to your clicks. So, if you click on a link, it will send you on to the destination, and instantly regenerate your …

Read More