How to Clear HSTS Settings on Chrome, Firefox and IE Browsers?
A Quick Guide on What HSTS Is and How to Clear or Disable It on Your Browser
Initially, HSTS was created as a response to Moxie Marlinspike introduced vulnerability discussed in 2009 BlackHat Federal talk titled “New Tricks for Defeating SSL in Practice.” In that one vulnerability, that HSTS helps in defending is the one illustrated by Marlinspike’s SSLStrip tool.
Essentially that mentioned tool SSLStrip tool attacks secure HTTPS connections and turns it back into unsecured HTTP ones. So, HSTS policy is implemented, which prevents this attack by communicating to the web browsers that only HTTPS connections should be placed.
Mostly, the creation of HSTS has been accepted well among developers and regular users because of its ability to strengthening online security measures and reducing the risk of corrupting your data or website being hacked.
Yet, the HSTS implementation can cause some hiccups from time to time by displaying HSTS errors in browsers. For example, Google Chrome can display:
“Privacy error: Your connection is not private” (NET::ERR_CERT_AUTHORITY_INVALID).
If you try to reach the same website from another browser and that website opens without any error, then an HSTS setting is affecting your web browser.
In such a scenario, you’ll need to clear them, and this issue can be solved easily by effectively clearing HSTS settings on most major web browsers.
What Causes HSTS Error in Popular Browsers?
- If your browser has an HSTS setting stored for any domain and later you try to connect that website over HTTP or through broken HTTP connection such as expired certificate, mis-match hostname, you may receive this error.
- If you’re a developer, you may get this HSTS error while testing an HSTS configuration.
- If you’re the website visitor and you receive this error, then it’s mostly due to HSTS deployment on a site you’re visiting. So, as a user, it’s recommended to delete the local HSTS settings of the website or else wait for them to expire, which can be as per the ‘max-age’ set onto it.
Steps to Clear HSTS Settings in Google Chrome
- Open your Chrome browser
- In the Address bar search: chrome://net-internals/#hsts
- Search the Query HSTS/PKP domain field and enter the website (domain) name of the one you want to delete HSTS settings for.
- In the field, enter the domain name in this Delete domain security policies and press the Delete button.
Steps to Clear HSTS Settings in Mozilla Firefox
Method 1: Clearing the HSTS Settings by Forgetting the Website
- Close open windows and open your Mozilla Firefox browsing History by clicking Ctrl + Shift + H (On Mac: Cmd +Shift +H).
- Now, go to the site for which you want to clear the HSTS settings.
- Right-click on the site and click on Forget About This Site option. Note: This will clear all the data of the website currently in Firefox.
- Now, restart the browser, and the error should’ve been resolved.
Method 2: Clearing the HSTS Settings by Clearing Site Preferences
- In Firefox, click the Library icon and go to History > Clear Recent History
- Clear All History window will pop up, in that set the Time range to clear drop-down menu to Everything and uncheck all the options and select only Site preferences and click Clear Now button.
- Now, restart your browser error should’ve solved.
Method 3: Clearing the HSTS Settings by Editing the User Profile
- Close your Firefox browser entirely, including associated tray icons and pop-ups.
- Now, navigate to the Firefox’s user profile. Below are possible locations:
For Microsoft Windows Users:
C:\ Users*\ AppData \ Local \ Mozilla \ Firefox \ Profiles
For Mac Users:C:\ Users* \ AppData \ Roaming \ Mozilla \ Firefox \ Profiles
/ Users / * /Library / Application Support / Firefox / Profiles
Or - In the Firefox Address bar type: about:support at the top and hit Enter button.
- Application Basics page will open, in that go to the Profile Folder section, and click Open Folder. Once you open it, close the Firefox browser.
- Once you open Profile Folder of Mozilla Firefox, search and open SeiteSecurityServiceState.txt in text editor program like Notepad. It’s the file that contains HSTS and HPKP (Key Pinning) settings for the domains which you have previously visited.
- An Example of an HSTS Listing:
connect.facebook.net:HSTS 0 18257 1608961528860,1,1,2 - Now, delete the HSTS information of the website you want.
- Once you delete the entry, save and close the file and restart your Firefox browser.
- Be careful delete the information only of the website you want.
- Another option is to rename the file format from .txt to .bak. So, you’ll have a backup of the existing file, and Firefox will also create a new file from scratch, which will help eliminate any previously saved HSTS settings.
Method 4: Clearing the HSTS Settings From the Browser
- Open Firefox and in the address bar type: about:config. Now, click on the button: I accept the risk! and enter the Advanced settings menu.
- Now, search for the hsts from the search bar.
- Select and double click on security.mixed_content.use_hstsc to toggle the settings and disable it.
Steps for Clearing HSTS Settings in Microsoft Internet Explorer
- On your PC, go to Run box and type “regedit” to open the Registry Editor.
- Once it opens, browse the below registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\
- From the menu, go to Edit, browse to New and select Key and type FEATURE_DISABLE_HSTS, and hit Enter.
- Now, click on FEATURE_DISABLE_HSTS
- Again, from the Edit menu, click on option New and select and click DWORD Value.
- Now, type iexplore.exe
- From the menu section, click Edit and select on Modify. In the opened Value data box, type 1, and click Ok button to save the change.
- Browse to following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\
- Again, from the Edit menu, select New and click Key.
- Now, type FEATURE_DISABLE_HSTS and hit Enter.
- Click FEATURE_DISABLE_HSTS.
- From the Edit menu, browse to New and click DWORD value and type iexplorer.exe.
- Now, from the menu Edit, click Modify.
- Now, type 1 in Value data box and click Ok.
- Finally, close the Registry Editor.
Wrapping Up
However, HSTS errors may occasionally occur in the browser. But don’t be discouraged and apply the HSTS anyway, and if any error occurs, follow the steps mentioned above for any of your favorite browsers, namely Google Chrome, Mozilla Firefox or Internet Explorer, and it’ll likely resolve the error.