HSTS setting forces chrome to redirect subdomains too

  • Resolved goggel

    (@goggel)


    3 years, 3 months ago

    Hi

    I have a public webpage where HSTS is enabled. When this setting is enabled it also redirects subdomains that is not a part of wordpress.

    The issue is that I have an internal subdomain to my webpage internal.example.com This subdomain is also forced to use HTTPS by chrome even if it’s not possible to have SSL on this webpage.

    Is there a way for you to change the code so I could change the HSTS setting in the plugin or where is the best place to do it in the code by myself?

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author WebFactory

    (@webfactory)

    Hi,
    Unfortunately, I don’t know the answer to that question and I’m not sure how the HSTS behaves in this particular case.
    As far as changing the plugin goes, it only has one PHP file so you shouldn’t have any problems finding the HSTS related code and making changes.

    This problem is not resolved. We upgraded to the new release of WP Force SSL, V1.65, on our production WP-site https://buergerenergie-buxtehude.de/ and then set HSTS. Immediately the test-site https://test.buergerenergie-buxtehude.de/ was no longer accessible* although the plugin is NOT installed there (no SSL on this site). We have not been able to locate where the HSTS attribute is set and despite deinstalling WP Force SSL on the production site the problem remains. This is clearly a fault with the plugin as after the deinstall there should be no after-affects!
    How can we remove the unwanted HSTS attribute?

    *latest WP versions installed (5.8.3), latest version of Firefox
    (note latest version of ms Edge does allow access to the test-site but this is pure luck)

    Here is the Firefox error msg (excerpt):
    Firefox hat ein m?gliches Sicherheitsrisiko erkannt und daher test.buergerenergie-buxtehude.de nicht aufgerufen, denn die Website ben?tigt eine verschlüsselte Verbindung.
    test.buergerenergie-buxtehude.de verwendet eine Sicherheitstechnologie namens “HTTP Strict Transport Security (HSTS)”, durch welche Firefox nur über gesicherte Verbindungen mit der Website verbinden darf. Daher kann keine Ausnahme für die Website hinzugefügt werden.

    Plugin Author Alexandru Tapuleasa

    (@talextech)

    Hi,

    HSTS is cached by browsers so you will need to clear it in your browser, even if you have disabled the plugin that has set it. You can find more details here https://msutexas.edu/library/clearhsts.php

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘HSTS setting forces chrome to redirect subdomains too’ is closed to new replies.