HSTS簡介:HSTS全名是HTTP Strict Transport Security 中文名「強制安全傳輸技術」,原理是在第一次訪問https網站時,網站的回覆表頭帶有「Strict-Transport-Security」,該表頭會讓瀏覽器記得,該網站(正確說法是域名)有提供HTTPS安全連線,並於下次連線中強制使用HTTPS,注意是強制喔,不論是點進不帶有https的連結(例如:這個),或是你故意在網址列打入網址時使用http://為開頭,瀏覽器都會先強制轉換成https再送出請求.
那有沒有可能那一天反悔不使用了呢?該如何清除設定呢?
在Chrome 下清除 HSTS 設定:
Navigate to
chrome://net-internals/#hsts在Delete domain區域中的文字格輸入你要清除HSTS設定的域名(1),然後按「Delete」(2)
按完之後,啥事都不會發生,所以要確認下有沒有成功刪除HSTS
在下方Query domain的區域中的文字格輸入你剛剛刪除的域名,然後按「Query」
成功刪除的話應該會像下圖情況,下方出現Not found的提示
失敗的話如下圖,瀏覽器會回報關於該域名HSTS的資訊
在Firefox 下清除 HSTS 設定:
We will cover two different methods for deleting HSTS settings in Firefox. The first method should work in most cases – but we also included a manual option if needed.
Close all open tabs in Firefox.
Open the full History window with the keyboard shortcut Ctrl + Shift + H (Cmd + Shift + H on Mac). You must use this window or the sidebar for the below options to be available.
Find the site you want to delete the HSTS settings for – you can search for the site at the upper right if needed.
Right-click the site from the list of items and click Forget About This Site.This should clear the HSTS settings (and other cache data) for that domain.
Restart Firefox and visit the site. You should now be able to visit the site over HTTP/broken HTTPS.If these instructions did not work, you can try the following manual method:
Manual Method for Firefox
If the above steps do not work, you can try the following method.
Start by locating your Firefox profile folder through your operating
system’s file explorer. You can find this folder through Firefox by
navigating to about:support
Halfway down the page, in the Application Basics section, you will see Profile Folder. Click Open Folder.
Now close Firefox so that the browser does not overwrite any settings we are about to change.
In your Profile folder find and open the file SiteSecurityServiceState.txt.
This file contains cached HSTS and HPKP (Key Pinning, a separate HTTPS
mechanism) settings for domains you have visited. It may be very
disorganized.
Search for the domain you want to clear the HSTS settings for and
delete it from the file. Each entry beings with the domain name. Delete
the entirety of the entry from the beginning of the desired domain name
to the next listed domain. As an alternative, you can rename the
existing file from a .txt to a .bak (in order to save the existing file,
just in case) and allow Firefox to create an entirely new file on next
start up.
Here is an example of a simple HSTS listing:
www.thesslstore.com:HSTS 0 17312 1527362896190,1,0
As mentioned, the formatting for this file can be messy. Below is a
sample from my profile. Each domain’s settings are shown in a unique
color to make separation clear. In this case, part of the settings for
the previous domain appear the beginning in red:
1527363079029,1,0www.thesslstore.com:HSTS 0 17312
1527362896190,1,0scotthelme.co.uk:HPKP
0 17312
1498419087277,1,1,9dNiZZueNZmyaf3pTkXxDgOzLkjKvI+Nza0ACF5IDwg=X3pGTSOuJeEVw989IJ/cEtXUEmy52zs1TZQrU06KUKg=V+J+7lHvE6X0pqGKVqLtxuvk+0f+xowyr3obtq8tbSw=9lBW+k9EF6yyG9413/fPiHhQy5Ok4UI5sBpBTuOaa/U=ipMu2Xu72A086/35thucbjLfrPaSjuw4HIjSWsxqkb8=+5JdLySIa9rS6xJM+2KHN9CatGKln78GjnDpf4WmI3g=MWfCxyqG2b5RBmYFQuLllhQvYZ3mjZghXTRn9BL9q10=
api.github.com:HSTS 0 17312 1527362865303,1,1
參考資料:
https://www.thesslstore.com/blog/clear-hsts-settings-chrome-firefox/
https://blog.bennyling.cc/362/clear-google-chrome-hsts-setting/