I recently ran into a problem when testing a website locally using an existing domain name. After adding the domain name to my hosts file and setting up a self-generated certificate, I was suprised to see that I could not ignore the expected certificate warnings.
I got the expected “Your connection is not private” warning but the “Proceed to example.com (unsafe)” link was missing. Instead a “You cannot visit example.com right now because the website uses HSTS” message is displayed.
Turns out that the original website had set the HSTS header: this instructs the browser to always require TLS/SSL for this domain and to verify the validity of the certificate. This header looks something like this:
Strict-Transport-Security: max-age=8035200; includeSubDomains; preload
The browser caches this policy for the duration set by
max-age. In the example header above, that means the browser will enforce the HSTS policy for a duration of 3 months (8035200 seconds) from the time it first received the header over a valid TLS/SSL connection.
So I was unable to connect to my development environment. Now what?
Fortunately, you can still remove the cached header in Chrome yourself by browsing to chrome://net-internals/#hsts. Unfortunately, if the
preload flag is set in the HSTS header, Chrome doesn’t allow you to delete it.
Only one thing left, disabling the security checks entirely!
To do this you can start another instance of Chrome from your terminal using the
--ignore-certificate-errors flags. So, the following command:
/Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --disable-web-security --ignore-certificate-errors --user-data-dir=/tmp/
will open a new Chrome window where you will be able to connect to the local site, ignoring the invalid certificate and HSTS policy.
If you are not working on a Mac or have installed Chrome somewhere in another location, you’ll need to replace the
/Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome part with the correct path.
Note that for security reasons and to prevent misuse, Chrome requires you to use a different user data directory to enable these flags, hence the