How can I disable HSTS AND force redirect to http?

1.6k views Asked by At

I just recently built a new site on an old domain name for a client. Apparently at some point in the past someone enabled HSTS on the domain, so some people were getting "Your connection is not private" errors when accessing it. To get around this I got a Let's Encrypt SSL Certificate and put

<IfModule mod_headers.c>
    Header set Strict-Transport-Security "max-age=0; includeSubDomains" env=HTTPS
</IfModule>

In the header to disable HSTS in the browsers that have it set.

Now the problem is, with that set, people can still browse the site using https (because it now has a valid certificate). They could also bookmark, etc. on https. This will be a problem once I let the certificate expire (which I'm going to do because they don't need it.)

So I added a redirect in the .htaccess file:

<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{HTTPS} =on
    RewriteRule ^(.*)$ http://%{HTTP_HOST}/$1 [R=301,L]
</IfModule>

But with both of those set, there is now a redirect loop. If I use the HSTS disable code without the redirect, I can access the site once to disable HSTS, re-add the redirect, and then access it normally, but obviously I can't do that for each user. My best guess is that even though the HSTS code is put before the redirect in the .htaccess file the redirect is triggered before the browser disables HSTS and it results in a redirect loop.

Is there any way I can get around this?

Thanks!

0

There are 0 answers