Firefox and Chrome keeps forcing HTTPS on Rails app using nginx/Passenger
If you used config.force_ssl = true
in your environment configuration, and then later turn it off, your browser may still only make connections over ssl.
Rails sends an HSTS header when force_ssl
is true, which will cause some browsers to only allow connections over HTTPS to the domain in question, regardless of what's entered in the address bar. This setting will be cached by the browser for 1 year by default.
See some tips for how to avoid this in this blog post ocmment: http://www.simonecarletti.com/blog/2011/05/configuring-rails-3-https-ssl/#comment-40447
I found a way to turn off HSTS from an answer on a Wordpress support forum of all of places: https://wordpress.org/support/topic/want-to-turn-off-http-strict-transport-security-hsts-header#post-6068192
You can send back a header that will turn off HSTS caching. Tested in Chrome with this example before_filter in a Rails 4 app:
response.headers['Strict-Transport-Security'] = 'max-age=0; includeSubDomains'