Table of Contents
2
Home » Wiki » How to Clear HSTS Settings on Chrome, and Firefox

How to Clear HSTS Settings on Chrome, and Firefox

by | SSL Errors

Clear HSTS Settings on Chrome, and Firefox

How To Easily Clear or Disable HSTS Settings On Your Browsers

HTTP Strict Transport Security (HSTS) is a security feature implemented by web browsers that forces sites to use secure HTTPS connections for all communication. Once enabled for a domain, HSTS will instruct the browser to automatically upgrade any HTTP requests to HTTPS before accessing the site.

The purpose of HSTS is to provide increased protection against man-in-the-middle attacks that could intercept sensitive data sent over insecure HTTP connections. It eliminates any accidentally use of HTTP instead of HTTPS by enforcing HTTPS for the defined period that HSTS remains enabled.

However, in some cases users may wish to clear their locally stored HSTS settings for a particular domain such as when troubleshooting access to a site after an expired certificate or other issues connecting over HTTPS. Clearing HSTS can also enable connecting over HTTP which provides more error information compared to an HTTPS connection failure.

In this guide, we will explain the exact step-by-step process to follow in both Google Chrome and Mozilla Firefox to clear locally cached HSTS settings when required.

How to Clear HSTS Settings on Google Chrome

Google Chrome provides a simple interface to view and manage permissions and settings including clearing or disabling HSTS for individual domains. Here are the steps to follow:

  • Click on the 3 vertical dots in the top right Chrome menu then select Settings.
  • Scroll down and click the “Privacy and security” option on the left side menu.
  • Now select the “Site Settings” link under the “Security” section.
  • This will open the Site Settings page where you manage permissions, data sharing, notifications and more per site. Start typing in the domain you want to manage into the search box.
  • Chrome will show a dropdown with matching domains as you type. Select the correct site to open the permissions view for that domain.
  • Scroll down to find the “HTTPS-Only mode” also referred to as HSTS setting for the domain.
  • Toggle the switch off to DISABLE HSTS and allow connections over HTTP. This immediately clears the HSTS for this domain only.

Note that sites included in the Chrome HSTS preload list require additional steps described later to fully clear after disabling the normal HSTS locally.

That covers the simple process to clear HSTS state for domains in Google Chrome browser. The site will function as normal, but Chrome will accept HTTP or HTTPS access going forward instead of forcing HTTPS.

How to Clear HSTS in Mozilla Firefox

Mozilla Firefox also makes it straightforward to clear HSTS settings on a per domain basis when required. Here are the steps:

  • Click the menu button and select Settings.
  • Scroll down to find and select the Privacy & Security option on the left.
  • The main Security section manages various security features. Scroll down near the bottom and locate the “HTTPS-Only mode” also referred to as HSTS setting.
  • By default the “Override automatic HTTPS-only mode” option is DISABLED to allow sites to enable HSTS automatically. Check this box to ENABLE overriding HSTS which permits clearing HSTS on individual domains going forward.
  • Click on the now activated “Site Permissions” link in the blue box while override HSTS remains enabled from the previous step.
  • The Site Permissions manager shows all domains with data permissions granted. Use the search box to type in the domain you want to clear HSTS for.
  • Locate the correct domain from the list shown as you type and click the 3 dot menu to the right then choose “Clear HSTS”.
This immediately instructs Firefox to clear all stored HSTS data for this domain only while the global override remains in effect. You can also click “Forget Site” to reset all permissions, but this also clears cookies which may not be desirable.

That covers how to locally clear HSTS state cached in Firefox browser for any domain giving you issues or that you wish to access over non-encrypted HTTP connections temporarily.

Additional HSTS Clearing Context

Now that you understand how to view and toggle HSTS settings per domain in Chrome and Firefox, it helps to know some additional context around what data gets cleared and other implications of disabling HSTS:

When clearing HSTS, the browser deletes any cached expiration date for mandatory HTTPS for that domain. This means HTTP can be used until the domain re-enables HSTS on the next visit.

Browsers will eventually re-enable HSTS automatically if the site sends the proper header. This provides security against future slip ups in usage of HTTP instead of HTTPS.

You ONLY want to clear HSTS if necessary for troubleshooting or temporarily to regain access to a site. The enhanced security should stay in effect for all normal access to sensitive sites like banking, email, etc.

The above guidance covers manually clearing HSTS which handles most standard scenarios. However, sites included on the special preloaded HSTS lists in Chrome, Firefox and other modern browsers require advanced removal steps if they continue blocking all HTTP traffic even after following the instructions to disable local HSTS in your browser.

Troubleshooting Help

In some cases, additional troubleshooting is needed if clearing HSTS as explained above does not resolve HTTPS errors or continued forced redirection warnings. Here are some things to check:

Browser continues blocking HTTP access after disabling HSTS:

As noted above, sites in browser preload lists require fully uninstalling and reinstalling the browser after clearing all cache and data to completely reset HSTS. This Nuclear option clears ALL browser data. Ensure you first export bookmarks, saved passwords and any other critical information before proceeding with uninstall/reinstall of the browser itself after backing up data.

Site not appearing under stored permissions to allow clearing HSTS:

In rare cases, sites may store HSTS in ways that prevent easy viewing or clearing via the browser interfaces explained earlier. This often occurs with Internet Service Providers that enable HSTS across their entire domain. Typically, these large ISP or mobile carrier sites lack any user-facing portal to directly manage HSTS. In these cases, fully removing and reinstalling the browser is the only current option to truly clear HSTS settings.

Manual site removal from preloaded lists:

As a last resort for sites with hardcoded HSTS that continue enforcing HTTPS traffic beyond browser based HSTS clearing in Chrome or Firefox, some advanced users may wish to download and manually edit the preload list files themselves to remove problematic entries at their own risk. This involves navigating to the Chrome or Firefox source code directories on your local system and editing the transportSecurity.json files after making backups. Only attempt this manual removal from preloaded HSTS lists if you fully understand the risks of altering built-in browser security lists.

Closing Summary

Implementing HTTP Strict Transport Security (HSTS) proves vital for securing connections and sensitive user data transmitted between browsers and websites/web services. The assurance of encrypted transport via mandated HTTPS communicates safety to end users while preventing common mistakes that expose data to snooping.

However, in certain cases clearing locally cached HSTS information regains the flexibility to access sites over HTTP – such as for troubleshooting server/certificate issues if connections fail under enforced HTTPS. We walked through the exact steps required in Google Chrome and Mozilla Firefox to view and clear HSTS settings reducing security during these temporary scenarios.

Outside of troubleshooting and regaining access to faltering sites, we recommend allowing HSTS to remain enabled on all sites transmitting private user data or communications. The small inconvenience pales in comparison to exploiting the type of man-in-the-middle attacks cryptographic transport security defends against in the first place. But now you understand how to clear HSTS settings locally or globally when essential.

Frequently Asked Questions

What causes the NETERR_CERT_REVOKED error?

This error is caused by a revoked SSL certificate that is no longer trusted by your browser due to security reasons determined by the Certificate Authority. It could be compromised encryption keys or other issues with that site’s certificate.

Is the NETERR_CERT_REVOKED error dangerous?

It does not necessarily mean a site is malicious if you see this error. But revoked certificates cannot provide secure HTTPS protection, so you should not enter any sensitive data on sites showing this warning until the certificate is fixed.

How can I tell if a website certificate has been revoked?

The NETERR_CERT_REVOKED browser error message is the main indicator a certificate has been revoked. You may also see certificate warnings on the page. Check the certificate status with your browser or on the Certificate Authority website.

Does this error mean my browser or computer is compromised?

Not necessarily. The NETERR_CERT_REVOKED error mainly indicates an issue with the individual website’s certificate, not your system. Clearing your browsing data and resetting browser settings should resolve it without any need to wipe your computer.

What precautions can I take to avoid certificate errors in the future?

Keep your browser updated with the latest security patches. Don’t ignore certificate warnings or errors. Use antivirus and firewall protection. Avoid using proxy servers or unfamiliar VPN services. And contact sites directly if you continually see certificate issues with them.

Related Articles:

How to Fix the SSL Handshake Failed ErrorHow to Fix the SSL Handshake Failed Error Fix the Modulus Mismatch ErrorHow to Fix the Modulus Mismatch Error? Fix Err_Cache_Miss in ChromeHow To Fix “Err_Cache_Miss” Error in Google Chrome