Spring boot: Do not send HSTS header

Leukipp picture Leukipp · Mar 9, 2018 · Viewed 12k times · Source

In a dev environment I have the problem that my browser (Yandex) redirects (307) an OPTIONS request to the https version of the URL. As we don't have SSL set up the request then fails with the error Response for preflight is invalid (redirect).

Answer

Barry Pollard picture Barry Pollard · Mar 10, 2018

If you don’t have HTTPS set up then the HSTS value should never be read - browsers must ignore HSTS sent over an unencrypted HTTP connection.

If you once did have HTTPS but now no longer do (or if you have HTTPS on some of your domains/pages), then your browser may have cached the HSTS setting for whatever max-age value was set when the browser last read the header. You would need to clear this in your browser. How to do this varies from browser to browser, but one of the easier ways that works in all browsers is to publish a new HSTS header with a max-age of 0 like you have done and then visit a page over HTTPS (not over unencrypted HTTP). This obviously requires you to have a HTTPS setup which you say you do not have? After all your browsers all have got the new setting for all affected domains, you can then stop publishing that HSTS header completely.

Skipping the reset step and just turning off the header when the browser has a previous version cached will not work - at least until the browser’s cached version expires after the max-age time.