Every subdomain is redirecting to HTTPS (even non existent ones)

Hi, so I enabled Letsencrypt and Cloudflare for my website, everything was working perfect but today I wanted to try something and I noticed HTTPS was forced everywhere, even on non existent sub domains… So what to do?

Basically I only want HTTPS forced on specific sub domains, not on every one… How to do that?

I’ll PM someone my vhosts and stuff if they are needed, don’t like sharing them on public though.

Are you using HSTS with the flag “includeSubdomains”?

1 Like

Yes, BUT I disabled it and it was still happening, I even fully disabled SSL & HSTS on Cloudflare, ran /flushdns, went incognito and to a random subdomain (http://jsadjasdnaskdsand.mydomain.net) and it just redirected me to (http://jsadjasdnaskdsand.mydomain.net)

HSTS is more or less permanently stored in your browsers and is not affected by things like deleting the cache.

In order to disable HSTS, you need to send the header Strict-Transport-Security: max-age=0 and visit the site via HTTPS with that header up with every affected browser.

You might also want to check whether you added your domain to the HSTS preload list. If that’s the case, removal will take a couple of months to propagate (the site has details).



Okay so I disabled HSTS on Cloudflare.

I added Header set Strict-Transport-Security: max-age=0 to my httpd.conf file, restart Apache2, yet I still get redirected to HTTPS on any subdomain.

Basically what I’m trying to do is I want one sub domain on my website with HTTP, the rest of the site will have HTTPS, no problem.

Note that by disabling HSTS for one subdomain, you reduce the security of all your other (sub)domains, because it means you can’t have the HSTS+includeSubdomains header, nor the preload option.

Yea it’s fine, don’t want HSTS anymore, yet it’s not being disabled correctly…

I am still getting a forced HTTPS redirect, any solutions/ideas?

Did you check the HSTS preload list? The header won’t help if your domain is on that list IIRC.

Did you visit your domain via HTTPS while the max-age=0 header was up? Just setting the header in your configuration and then visiting your subdomain via HTTP won’t work.

Yea I checked, it’s not there.

And I did visit the domain, still same thing ;/

Happy to take a look at the actual domain, feel free to PM.

Inspecting the domain didn’t reveal anything new. I was able to browse to the subdomain via HTTP, though.

To check the HSTS status of your domain in your browser, follow the steps described here. I can confirm that when I manually add the domain to the HSTS list in Chrome and then visit your domain, the HSTS entry is removed, so the header seems to be working as expected (at least in Chrome).

If your domain does not appear on that list, it’s possible that the redirect is happening because of a regular HTTP 301 redirect (from http:// to https://) that’s still cached by your browser (maybe caused by CloudFlare). Deleting your browser cache should solve that problem.

Oh wow I just tried it on my RDP server and said sub domain does load with HTTP, yet it doesn’t on my local machine with my browser, is there a way to force a cache clear? Since this wouldn’t be only visited by me I’m worried it’d affect users.

If your issue was caused by HSTS, the new header should resolve that problem for your visitors (confirmed at least for Chrome per above, I’d assume Firefox would work as well) as long as they visit the “main” domain at one point prior to visiting the subdomain. There’s no other way to force HSTS removal.

If it was caused by a HTTP 301 redirect, only users that visited the subdomain while it was redirecting would be affected. There’s no way to force a cache clear for users affected by this.

Cheers, thank you so much, I appreciate it.

It is possible to remove HSTS entries from your own browser cache. Have a look in chrome://net-internals/#hsts (for Chrome) and then there’s an option to delete domains from the list. Not sure how that will affect subdomains.

Just checking, but have you enabled “includeSubdomains” alongside the max-age=0 setting?

That would not be necessary (RFC 6797):

   NOTE:  A max-age value of zero (i.e., "max-age=0") signals the UA to
          cease regarding the host as a Known HSTS Host, including the
          includeSubDomains directive (if asserted for that HSTS Host).
          See also Section 8.1 ("Strict-Transport-Security Response
          Header Field Processing").

@pfg thanks for that. Learnt something there :slight_smile:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.