HAProxy community

Remove HSTS saved in client browser


Hi All,
I have previously, in my infinite wisdom, included HSTS in my HAP config with the default max age. I am using HAP 1.5

Config was as follows:
rspadd Strict-Transport-Security:\ max-age=31536000;\ includeSubDomains;\ preload

I have realised now that this is causing problems for site that are still in development, etc.
I have many clients now trying to hit newsub.example.com and HAP is forcing HSTS because it is saved in their browser. I know this can be removed in your browser as a manual process but for me to get hold of every past client and get them to do this is just not possible. My question now is how do I remove this. I would like to confirm if this is possible as my reasoning is, ‘If HAP can insert HSTS domain in the browser, then it can remove it too’

I am thinking that using an ACL to check the header could work and then force removal of the domain in the browsers something like:
acl hsts_exists res.hdr_cnt(Strict-Transport-Security) gt 0
rspdel Strict-Transport-Security:\ max-age=31536000 if hsts_exists ;To delete the HSTS

There is so much documentation on how to add HSTS on the web and the browser saves this in its cache files but strangely no documentation to reverse this. The only docs there are is about manual removal in chrome, firefox, etc

Your input would be very much appreciated,


I didn’t think it is possible, but according to the RFC there is indeed a way.


http-response set-header Strict-Transport-Security max-age=0;\ includeSubDomains;

Whether it is supported in the browsers is different thing entirely.