Die Funktionalität dieser Website ist durch Wartungsarbeiten eingeschränkt, die Ihr Erlebnis verbessern sollen. Wenn ein Artikel Ihr Problem nicht löst und Sie eine Frage stellen möchten, können Sie unsere Gemeinschaft über @FirefoxSupport auf Twitter, /r/firefox oder Reddit fragen.

Hilfe durchsuchen

Vorsicht vor Support-Betrug: Wir fordern Sie niemals auf, eine Telefonnummer anzurufen, eine SMS an eine Telefonnummer zu senden oder persönliche Daten preiszugeben. Bitte melden Sie verdächtige Aktivitäten über die Funktion „Missbrauch melden“.

Weitere Informationen

How to Remove HSTS from URL Test Server Url in Browser?

  • 1 Antwort
  • 1 hat dieses Problem
  • 7 Aufrufe
  • Letzte Antwort von cor-el

more options

I have a prod server (example.com) and local vbox vm test server (test.example.com), both running nextcloud. I am developing using Ubuntu Mozilla Firefox 89.0.2

The test server uses example.com, but has a domain alias test.example.com, that I use to differentiate between test and prod when working.

I accidentally added the following HSTS apache2 directive to my test server:

   <IfModule mod_headers.c>
     Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
   </IfModule>

The net result, is that I can't open the test nextcloud site and the prod nextcloud simultaneously in my browser because `test.example.com` will suddenly switch to `https://test.example.com` and lock me out.

I have researched and tried all multiple different methods to remove HSTS from test url, which are:

1.) The "Forget About This Website" method via the firefox browser history for both test.example.com and example.com

2.) I tried deleting "Site Preferences", using "Everything" as the time period, under Privacy & Security Settings (I went to the max and deleted cache, cookies, browser history, -everything-)

3.) I edited "SiteSecurityServiceState.txt" located in my browser profile folder.

4.) I also used about:config and switched `security.mixed_content.block_display_content` from "false" to "true"

5.) I also made the file `SiteSecurityServiceState.txt` as to to completely HSTS in the browser, yet the problem still persists. (even tried deleting it)

5.) Also, in my `/var/www/config/config.php` for nextcloud, I have also edited the trusted domains section as follows:

   'trusted_domains' =>
     array (
     0 => 'test.example.com',
       ),

All of this has failed to permanently correct the problem. I might be able to access test.example.com for a short period of time, but if prod server example.com is opened the problematic `https://test.example.com` returns.

And FYI, `https://hstspreload.org/?domain=example.com` still shows:

   Warning: Unnecessary HSTS header over HTTP
The HTTP page at http://example.com sends an HSTS header. This has no effect over HTTP, and should be removed.

Help :-/

I have a prod server (example.com) and local vbox vm test server (test.example.com), both running nextcloud. I am developing using Ubuntu Mozilla Firefox 89.0.2 The test server uses example.com, but has a domain alias test.example.com, that I use to differentiate between test and prod when working. I accidentally added the following HSTS apache2 directive to my test server: <IfModule mod_headers.c> Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains" </IfModule> The net result, is that I can't open the test nextcloud site and the prod nextcloud simultaneously in my browser because `test.example.com` will suddenly switch to `https://test.example.com` and lock me out. I have researched and tried all multiple different methods to remove HSTS from test url, which are: 1.) The "Forget About This Website" method via the firefox browser history for both test.example.com and example.com 2.) I tried deleting "Site Preferences", using "Everything" as the time period, under Privacy & Security Settings (I went to the max and deleted cache, cookies, browser history, -everything-) 3.) I edited "SiteSecurityServiceState.txt" located in my browser profile folder. 4.) I also used about:config and switched `security.mixed_content.block_display_content` from "false" to "true" 5.) I also made the file `SiteSecurityServiceState.txt` as to to completely HSTS in the browser, yet the problem still persists. (even tried deleting it) 5.) Also, in my `/var/www/config/config.php` for nextcloud, I have also edited the trusted domains section as follows: 'trusted_domains' => array ( 0 => 'test.example.com', ), All of this has failed to permanently correct the problem. I might be able to access test.example.com for a short period of time, but if prod server example.com is opened the problematic `https://test.example.com` returns. And FYI, `https://hstspreload.org/?domain=example.com` still shows: Warning: Unnecessary HSTS header over HTTP<br> The HTTP page at http://example.com sends an HSTS header. This has no effect over HTTP, and should be removed. Help :-/

Alle Antworten (1)

more options

I would assume that this is a problem with the server that still send HSTS data.

You can possibly try to catch this via HTTP logging via the about:networking page.