Get your FREE copy of "The Ultimate Guide of SSL"

Download Ebook

How to Clear HSTS Settings on Chrome, Firefox and IE Browsers?

A Quick Guide on What HSTS Is and How to Clear or Disable It on Your Browser

HSTS (HTTP Strict Transport Security), is one of the web security policy which enforces web browsers to interact with websites only through secured HTTPS connection (and not HTTP). In return, it helps in avoiding attacks such as cookie hijacking or downgrade attacks. Also, prevent common tools like Firesheep to steal cookie-based login credentials.

Initially, HSTS was created as a response to Moxie Marlinspike introduced vulnerability discussed in 2009 BlackHat Federal talk titled “New Tricks for Defeating SSL in Practice.” In that one vulnerability, that HSTS helps in defending is the one illustrated by Marlinspike’s SSLStrip tool.

Essentially that mentioned tool SSLStrip tool attacks secure HTTPS connections and turns it back into unsecured HTTP ones. So, HSTS policy is implemented, which prevents this attack by communicating to the web browsers that only HTTPS connections should be placed.

Mostly, the creation of HSTS has been accepted well among developers and regular users because of its ability to strengthening online security measures and reducing the risk of corrupting your data or website being hacked.

Yet, the HSTS implementation can cause some hiccups from time to time by displaying HSTS errors in browsers. For example, Google Chrome can display:

“Privacy error: Your connection is not private” (NET::ERR_CERT_AUTHORITY_INVALID).

If you try to reach the same website from another browser and that website opens without any error, then an HSTS setting is affecting your web browser.

In such a scenario, you’ll need to clear them, and this issue can be solved easily by effectively clearing HSTS settings on most major web browsers.

What Causes HSTS Error in Popular Browsers?

Unlike other HTTPS errors, HSTS errors are not something that can be bypassed. Plus, if the website is serving the HSTS header, then it’s likely that your browser will store it whenever you try to visit it. Some of the common reasons for HSTS error to occur in your browsers are like:
  • If your browser has an HSTS setting stored for any domain and later you try to connect that website over HTTP or through broken HTTP connection such as expired certificate, mis-match hostname, you may receive this error.
  • If you’re a developer, you may get this HSTS error while testing an HSTS configuration.
  • If you’re the website visitor and you receive this error, then it’s mostly due to HSTS deployment on a site you’re visiting. So, as a user, it’s recommended to delete the local HSTS settings of the website or else wait for them to expire, which can be as per the ‘max-age’ set onto it.
Also, HSTS errors don’t have any unique error for any of the browsers. But the error pages do include HSTS information.

Steps to Clear HSTS Settings in Google Chrome

Whenever this HSTS settings error occurs in Chrome, most likely, you will encounter an error message like “Your connection is not private.” Further, digging into the Advanced menu of this error, you’ll see the message explicitly mentioning HSTS settings. Go through the below steps and delete the HSTS cache from your Chrome browser.
  • Open your Chrome browser
  • In the Address bar search: chrome://net-internals/#hsts
  • Search the Query HSTS/PKP domain field and enter the website (domain) name of the one you want to delete HSTS settings for.
  • In the field, enter the domain name in this Delete domain security policies and press the Delete button.

Steps to Clear HSTS Settings in Mozilla Firefox

There are different methods for disabling or clearing HSTS in the Firefox browser. So, if one doesn’t work, you can check another one. Some of the straightforward methods are as below:

Method 1: Clearing the HSTS Settings by Forgetting the Website

  • Close open windows and open your Mozilla Firefox browsing History by clicking Ctrl + Shift + H (On Mac: Cmd +Shift +H).
  • Now, go to the site for which you want to clear the HSTS settings.
  • Right-click on the site and click on Forget About This Site option. Note: This will clear all the data of the website currently in Firefox.
  • Now, restart the browser, and the error should’ve been resolved.

Method 2: Clearing the HSTS Settings by Clearing Site Preferences

  • In Firefox, click the Library icon and go to History > Clear Recent History
  • Clear All History window will pop up, in that set the Time range to clear drop-down menu to Everything and uncheck all the options and select only Site preferences and click Clear Now button.
  • Now, restart your browser error should’ve solved.

Method 3: Clearing the HSTS Settings by Editing the User Profile

  • Close your Firefox browser entirely, including associated tray icons and pop-ups.
  • Now, navigate to the Firefox’s user profile. Below are possible locations:
    For Microsoft Windows Users:
    C:\ Users*\ AppData \ Local \ Mozilla \ Firefox \ Profiles

    C:\ Users* \ AppData \ Roaming \ Mozilla \ Firefox \ Profiles

    For Mac Users:
    / Users / * /Library / Application Support / Firefox / Profiles

  • In the Firefox Address bar type: about:support at the top and hit Enter button.
  • Application Basics page will open, in that go to the Profile Folder section, and click Open Folder. Once you open it, close the Firefox browser.
  • Once you open Profile Folder of Mozilla Firefox, search and open SeiteSecurityServiceState.txt in text editor program like Notepad. It’s the file that contains HSTS and HPKP (Key Pinning) settings for the domains which you have previously visited.
  • An Example of an HSTS Listing:    0          18257      1608961528860,1,1,2
  • Now, delete the HSTS information of the website you want.
  • Once you delete the entry, save and close the file and restart your Firefox browser.

  • Be careful delete the information only of the website you want.
  • Another option is to rename the file format from .txt to .bak. So, you’ll have a backup of the existing file, and Firefox will also create a new file from scratch, which will help eliminate any previously saved HSTS settings.

Method 4: Clearing the HSTS Settings From the Browser

  • Open Firefox and in the address bar type: about:config. Now, click on the button: I accept the risk! and enter the Advanced settings menu.
  • Now, search for the hsts from the search bar.
  • Select and double click on security.mixed_content.use_hstsc to toggle the settings and disable it.

Steps for Clearing HSTS Settings in Microsoft Internet Explorer

  • On your PC, go to Run box and type “regedit” to open the Registry Editor.
  • Once it opens, browse the below registry subkey:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\
  • From the menu, go to Edit, browse to New and select Key and type FEATURE_DISABLE_HSTS, and hit Enter.
  • Now, click on FEATURE_DISABLE_HSTS
  • Again, from the Edit menu, click on option New and select and click DWORD Value.
  • Now, type iexplore.exe
  • From the menu section, click Edit and select on Modify. In the opened Value data box, type 1, and click Ok button to save the change.
  • Browse to following registry subkey:
    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\
  • Again, from the Edit menu, select New and click Key.
  • Now, type FEATURE_DISABLE_HSTS and hit Enter.
  • From the Edit menu, browse to New and click DWORD value and type iexplorer.exe.
  • Now, from the menu Edit, click Modify.
  • Now, type 1 in Value data box and click Ok.
  • Finally, close the Registry Editor.
Note: For the iexplore.exe, subkey values are 0 and 1, where value 0 activates the feature, and 1 disables the feature.

Wrapping Up

As you read above, how HSTS helps enhance your website security. So, if you’re developing your website, it’s advisable to apply HSTS. But, before you do so, keep in account that having a reputable SSL/TLS Certificate installed is equally important. So, first, install an SSL/TLS Certificate and then enable HSTS settings.

However, HSTS errors may occasionally occur in the browser. But don’t be discouraged and apply the HSTS anyway, and if any error occurs, follow the steps mentioned above for any of your favorite browsers, namely Google Chrome, Mozilla Firefox or Internet Explorer, and it’ll likely resolve the error.

Disclosure: AboutSSL appreciates your continuous support. It helps us tremendously to keep moving in the competitive SSL industry. Here most of the links which direct you to buy any SSL/TLS related service or products earns us a certain percentage of referral commission. Learn More