Disable force-https?

Hey, I was wondering if there was a way to remove the forcing of https over http!

I’ve removed the RewriteRule from my site.com.conf but it still seems to force https even after restarts and ./letsencrypt-auto rollback.

Any solutions?

It propably used HSTS, which basically said “caches” the http->https redirect and therefore it is not easy to stop using HTTPS.
But depending on the max-age directive of the HSTS header it may go away sooner or later. Until then you should continue to support HTTPS, otherwise website users are likely to get errors.

Thanks for the answer! I’ve gotten rid of problems (non-https resources, etc.) for now but it would be nice not to worry about them in the future. Glad to hear it’s not permanent!

The max-age variable in the HSTS header can be set to 0. Any client retrieving a valid HTTPS header from the site after that, will no longer enforce it.

1 Like

But it is worth to mention that the HSTS header with max-age=0 is only valid when it is served over HTTPS. Everything else would defeat its purpose.

So basically you need HTTPS support to “disable” HSTS.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.