HSTS stands for HTTP Strict Transport Security
This is a header send by the webserver to tell your browser “Don’t visit this website (and if enabled, additional subdomains) over a unsecure HTTP channel for a given period of time”
This mechanism must prevent MITM attacks in some way
This information is saved per browser.
When you visit a website wherefor a HSTS entry exists the browser will force HTTPS
Sometimes this behavior is undesirable.
For example when:
you accidentally added subdomains.
you are developing and want to test.
How to remove HSTS from your browser
When you enter the developer tools with control+shift+i you can click on the Network tab. You see here what headers are being passed to your browser.
For example you can find the HSTS header here.
Google Chrome has several hidden functions
You can enter chrome://net-internals in Google Chrome
When you select Domain Security Policy on the left hand you can query HSTS domains on the right hand. When entering a FQDN, it will return information about when the header is observed and when the header is expiring and if subdomains are included. The timestamps are in unix time.
In the screenshot below you see:
dynamic_sts_include_subdomains:true
dynamic_sts_observed: 1612084519.858279
dynamic_sts_expiry: 1643620519.858275
Convert Unix time to a human readable format
When we convert the unix timestamp for sts_ovserved with cyberchef you see the observed time is in real time Sun 31 January 2021 09:15:19 UTC
When we do the same for sts_expiry we see the real time is Mon 31 January 2022 09:15:19 UTC
Every time you visit the website the values are changing.
There is one strange thing about the sts_expiry value.
This is one year from now instead of 2 years from now as set in the max-age property (63072000 is 730 days)
In the screenshot below you see we can remove the HSTS information stored in the browser.
In the screenshot below you see there are no HSTS entrys stored anymore. When we visit the website it is set again.