HSTS Error Explained (HTTP Strict Transport Security)

HTTP Strict Transport Security (HSTS) is a security policy mechanism that tells browsers to only connect to a domain over HTTPS — never HTTP — for a specified period. Once a browser has seen an HSTS header from a site, it refuses to connect over HTTP for the duration of the policy, even if the user types http:// explicitly.

The HSTS Header

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

• max-age: Seconds the policy is in effect (31536000 = 1 year)
• includeSubDomains: Applies the policy to all subdomains
• preload: Requests inclusion in the browser's built-in HSTS preload list

What HSTS Errors Look Like

When a browser enforces HSTS and the TLS certificate is invalid (expired, wrong hostname, untrusted), the browser shows a hard error with no "proceed anyway" option. Unlike normal certificate errors where users can click through, HSTS errors are non-bypassable by design.

• Chrome: NET::ERR_CERT_AUTHORITY_INVALID with no bypass link
• Firefox: "An error occurred during a connection to..." with no override option

Clearing a Stuck HSTS Entry

For development/testing, you can clear an HSTS entry in Chrome by visiting chrome://net-internals/#hsts and deleting the domain. In Firefox, close the browser, edit the SiteSecurityServiceState.txt file in your profile, and remove the offending entry.

HSTS Preload

The HSTS preload list (maintained by Google and included in all major browsers) contains domains that should always be accessed over HTTPS, even on the very first visit — before any HSTS header has been seen. Submitting to the preload list is permanent and difficult to reverse — don't do it unless you're committed to HTTPS on all subdomains indefinitely.