Disable force-https?


#1

Hey, I was wondering if there was a way to remove the forcing of https over http!

I’ve removed the RewriteRule from my site.com.conf but it still seems to force https even after restarts and ./letsencrypt-auto rollback.

Any solutions?


#2

It propably used HSTS, which basically said “caches” the http->https redirect and therefore it is not easy to stop using HTTPS.
But depending on the max-age directive of the HSTS header it may go away sooner or later. Until then you should continue to support HTTPS, otherwise website users are likely to get errors.


#3

Thanks for the answer! I’ve gotten rid of problems (non-https resources, etc.) for now but it would be nice not to worry about them in the future. Glad to hear it’s not permanent!


#4

The max-age variable in the HSTS header can be set to 0. Any client retrieving a valid HTTPS header from the site after that, will no longer enforce it.


#5

But it is worth to mention that the HSTS header with max-age=0 is only valid when it is served over HTTPS. Everything else would defeat its purpose.

So basically you need HTTPS support to “disable” HSTS.


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.