How to stop an automatic redirect from “http://” to “https://” in Chrome?
To answer this question, we need understand why Chrome behaves in this way.
https://tools.ietf.org/html/rfc6797 specifies HTTP Strict Transport Security
HTTP Strict Transport Security (HSTS) is an opt-in security enhancement that is specified by a web application through the use of a special response header (Strict-Transport-Security). Once a supported browser receives this header that browser will prevent any communications from being sent over HTTP to the specified domain and will instead send all communications over HTTPS.
For example:
Strict-Transport-Security: max-age=31536000; includeSubDomain
The main benefits HSTS can bring in terms of security:
- HSTS automatically redirects HTTP requests to HTTPS for the target domain
- HSTS does not allow a user to override the invalid certificate message
1) Server side: Disable on web server side, for instance, on Nginx, set max-age to zero
add_header Strict-Transport-Security "max-age=0;";
2) Client side: Delete domain security policies from browser side, for instance, go to chrome://net-internals/#hsts and delete the target domain. However, you cannot delete browser preloaded entries
References:
https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet
https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
https://superuser.com/questions/565409/how-to-stop-an-automatic-redirect-from-http-to-https-in-chrome
https://stackoverflow.com/questions/27945501/307-redirect-when-loading-analytics-js-in-chrome
No comments:
Post a Comment