Problem with Chrome on Subdomain


#1

Right now, I have SSL on my main site, udorm.io but not on my subdomain, dev.udorm.io, because I didn’t know I had to apply for these separately and I’m waiting for the subdomain to be let into the closed beta. I have the main site set to redirect http://udorm.io/ https://udorm.io. Somehow Chrome has gotten the idea that the subdomain should be SSL as well and I get this error message.


#2

You’ve enabled HSTS with the includeSubdomains flag. This means that after you’ve visited https://udorm.io your browser will refuse to use HTTP for that site or any of its subdomains for the time period specified in the Strict-Transport-Security header. Currently you have this set to 63072000 seconds - two years.

You can undo this by setting the time period to 0 and hitting the main site in your browser. Once it sees the new header, Chrome will allow you to visit the HTTP subdomain. When everyone that needs access to your dev site has done this, you can safely re-enable HSTS without the includeSubdomains flag. You can re-enable that again later when all your subdomains support HTTPS.