How to clear HSTS from your browser

If you enabled HSTS on your site, you’ll have to clear it from your browser after you disabled it again. Otherwise, your site willl keep loading over SSL. There are two ways to do this. The first sets the .htaccess header, which resets it for all users:

Resetting the HSTS header using the .htaccess

If you set the expiration time on your HSTS header in the .htaccess to zero, the HSTS header should expire immediately.

<IfModule mod_headers.c>
Header set Strict-Transport-Security "max-age=0; includeSubDomains;" env=HTTPS
</IfModule>

Clearing from the browser

Just clearing it from your browser is also possible:

In Chrome:

  1. In the address bar, type “chrome://net-internals/#hsts”.
  2. Type the domain name in the text field below “Delete domain”.
  3. Click the “Delete” button.
  4. Type the domain name in the text field below “Query domain”.
  5. Click the “Query” button.
  6. Your response should be “Not found”.

Safari:

  1. Close Safari.
  2. Delete the ~/Library/Cookies/HSTS.plist file.
  3. Reopen Safari.
Note that these instructions do not apply to the removal of a domain from the HSTS Preload list. Only submit your site if you’re sure that your site (and it’s subdomains) can support HTTPS in the long term.
Simple and Performant Security.
Easily improve site security with WordPress Hardening, Two-Factor Authentication (2FA), Login Protection, Vulnerability Detection and SSL certificate generation.