Apache 2.4 - Disable HSTS Header [closed]
I've set up a Vagrant box with Ubuntu 18.04 and installed Apache 2.4.29. I've created and enabled a new conf file that looks like this:
<VirtualHost *:80>
ServerName django.dev
ServerAlias www.django.dev
ServerAdmin webmaster@localhost
DocumentRoot /var/www/
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
For some reason, apache responds with an HSTS header when I try to call django.dev:
I have no idea where this is coming from. There is no such header set in apache2.conf nor in 000-default.conf and I don't even have mod_ssl enabled.
Strangely enough, everything works as expected if call the IP directly. If I ping django.dev it is resolved to the exact same IP.
Does anyone know how or where I can disable HSTS? I'm at a loss and already wasted hours trying to solve this issue.
The HSTS policy is cached by the browser for the seconds specified in the max-age
directive (RFC 6797, 6.1.1). Removing the header from web server configuration doesn't remove the policy from the cache (nor a preloading list, if submitted to one), and therefore it continues causing 307 Internal Redirect
s on every browser that has already cached the policy.
As specified in RFC 6797, 5.3:
Only the given HSTS Host can update or can cause deletion of its issued HSTS Policy. It accomplishes this by sending
Strict-Transport-Security
HTTP response header fields to UAs with new values for policy time duration and subdomain applicability. Thus, UAs cache the "freshest" HSTS Policy information on behalf of an HSTS Host. Specifying a zero time duration signals the UA to delete the HSTS Policy (including any asserted includeSubDomains directive) for that HSTS Host.
Therefore, the only way to remove an HSTS policy is to set an HSTS header with a zero duration, and the browser must also see this header on a secure connection without any TLS errors nor warnings (2.2).
<VirtualHost *:443>
. . .
Header always set Strict-Transport-Security "max-age=0"
</VirtualHost>
Strangely enough, everything works as expected if call the IP directly.
This is not strange at all. As explained in the Appendix A,
- HSTS Hosts are identified only via domain names -- explicit IP address identification of all forms is excluded. This is for simplification and also is in recognition of various issues with using direct IP address identification in concert with PKI-based security.
You can't disable HSTS on .dev
If this is literally a .dev
domain, you can't disable HSTS.
Your security is our priority. The .
dev
top-level domain is included on the HSTS preload list, making HTTPS required on all connections to .dev
websites and pages without needing individual HSTS registration or configuration. Security is built in.