Disabling HSTS

If you once had HTTP Strict Transport Security Show archive.org snapshot enabled for a domain, and you want to disable it again, you need to send this header over a secure connection:

Strict-Transport-Security: max-age=0;

The next time a browser visits your site, it will forget that it was once flagged as HTTPS-only.

Should you need to remove the HSTS flag from your local browser (e.g. for debugging), you can do so in Chrome by accessing chrome://net-internals/#hsts.

Henning Koch Almost 10 years ago