Firefox and Chrome keeps forcing HTTPS on Rails app using nginx/Passenger

nginx https ssl ruby-on-rails phusion-passenger

If you used config.force_ssl = true in your environment configuration, and then later turn it off, your browser may still only make connections over ssl.

Rails sends an HSTS header when force_ssl is true, which will cause some browsers to only allow connections over HTTPS to the domain in question, regardless of what's entered in the address bar. This setting will be cached by the browser for 1 year by default.

See some tips for how to avoid this in this blog post ocmment: http://www.simonecarletti.com/blog/2011/05/configuring-rails-3-https-ssl/#comment-40447


I found a way to turn off HSTS from an answer on a Wordpress support forum of all of places: https://wordpress.org/support/topic/want-to-turn-off-http-strict-transport-security-hsts-header#post-6068192

You can send back a header that will turn off HSTS caching. Tested in Chrome with this example before_filter in a Rails 4 app:

response.headers['Strict-Transport-Security'] = 'max-age=0; includeSubDomains'

Related

Why does ForEach behave differently than % even though they are both aliases of ForEach-Object in Powershell?
How to change libcurl SSL backend from gnutls to openssl on Ubuntu server
How do I analyze an Apache Bench result?
Duplicity not writing to a pre-existing S3 bucket
Clarification about Linux TCP window size and delays
show all users on a Catalyst Cisco switch
Brother 4150 CDN "Deep Sleep" How do I disable? [closed]
Magento hosting on a budget
ML350 G5 - upgrade hot swap drives to 6 Gb/s?
Network printer - Print direct or via shared printer on Server?
How do I add items to 'Favorites' via GPO?
Child Domain vs Trust Relationship