Apache 2.4 - Disable HSTS Header [closed]

apache-2.4 ubuntu-18.04 hsts

I've set up a Vagrant box with Ubuntu 18.04 and installed Apache 2.4.29. I've created and enabled a new conf file that looks like this:

<VirtualHost *:80>
    ServerName django.dev
    ServerAlias www.django.dev
    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

For some reason, apache responds with an HSTS header when I try to call django.dev:

HSTS response header

I have no idea where this is coming from. There is no such header set in apache2.conf nor in 000-default.conf and I don't even have mod_ssl enabled.

Strangely enough, everything works as expected if call the IP directly. If I ping django.dev it is resolved to the exact same IP.

Does anyone know how or where I can disable HSTS? I'm at a loss and already wasted hours trying to solve this issue.


The HSTS policy is cached by the browser for the seconds specified in the max-age directive (RFC 6797, 6.1.1). Removing the header from web server configuration doesn't remove the policy from the cache (nor a preloading list, if submitted to one), and therefore it continues causing 307 Internal Redirects on every browser that has already cached the policy.

As specified in RFC 6797, 5.3:

Only the given HSTS Host can update or can cause deletion of its issued HSTS Policy. It accomplishes this by sending Strict-Transport-Security HTTP response header fields to UAs with new values for policy time duration and subdomain applicability. Thus, UAs cache the "freshest" HSTS Policy information on behalf of an HSTS Host. Specifying a zero time duration signals the UA to delete the HSTS Policy (including any asserted includeSubDomains directive) for that HSTS Host.

Therefore, the only way to remove an HSTS policy is to set an HSTS header with a zero duration, and the browser must also see this header on a secure connection without any TLS errors nor warnings (2.2).

<VirtualHost *:443>
    . . .
    Header always set Strict-Transport-Security "max-age=0"
</VirtualHost>

Strangely enough, everything works as expected if call the IP directly.

This is not strange at all. As explained in the Appendix A,

  1. HSTS Hosts are identified only via domain names -- explicit IP address identification of all forms is excluded. This is for simplification and also is in recognition of various issues with using direct IP address identification in concert with PKI-based security.

You can't disable HSTS on .dev

If this is literally a .dev domain, you can't disable HSTS.

Your security is our priority. The .dev top-level domain is included on the HSTS preload list, making HTTPS required on all connections to .dev websites and pages without needing individual HSTS registration or configuration. Security is built in.

Related

How does a datacenter protect itself from IP change by the hosted servers?
Dell iDRAC6 virtual console viewer from GNU/Linux command line
Can Windows integrate with LDAP?
How do I copy an image in VMWare?
What is the $hf_mig$ directory for in Windows Server 2003?
OSX - Full Disk Encryption [closed]
How Do I Restrict Repository Access via WebSVN?
Resolving host names to their domain name in an internal BIND domain
SCGI or FastCGI - What do you prefer? [closed]
How secure are password-protected WinRAR archives?
How to add a new folder in Windows 2008 Server Registry
Best tool to migrate a PostgreSQL database to MS SQL 2005?