Disable HSTS in Firefox

TL;DR

Yes, you can disable HTTP Strict Transport Security (HSTS) in Firefox, but it’s generally not recommended. Disabling HSTS weakens your security. This guide shows how to do it if absolutely necessary for troubleshooting or compatibility reasons.

How to Disable HSTS

1. Open Firefox Settings: Type about:config in the address bar and press Enter.
2. Accept the Risk: You’ll see a warning page saying ‘Proceed with Caution’. Click ‘Accept the Risk and Continue’. This is because changing these settings can affect your browser’s security.
3. Search for HSTS Settings: In the search bar at the top, type network.http.stricttransportsecurity. Several related preferences will appear.
4. Reset HSTS Preferences (Recommended): This is the safest way to clear all HSTS settings.
   • Double-click on network.http.stricttransportsecurity.enabled to set its value to false.
   • Double-click on network.http.stricttransportsecurity.preloadlist to set its value to false. This disables the preloaded HSTS list.
5. Clear Specific Domain Settings (If Needed): If you only want to disable HSTS for a specific website:
   • Search for security.pki.trustlist. This shows the domains with trusted certificates, which can affect HSTS behaviour.
   • You may need to clear your browser cache and cookies after making changes. Go to ‘History’ -> ‘Clear Recent History’. Select ‘Everything’ for the Time Range to Clear and check ‘Cookies’ and ‘Cache’. Click ‘OK’.
6. Restart Firefox: Close and reopen Firefox completely for the changes to take effect.

Checking if HSTS is Disabled

1. Visit a Website with HSTS: Go to a website that uses HSTS (e.g., https://www.google.com).
2. Check the Connection Information: Click the padlock icon in the address bar.
   • If HSTS is disabled, you should see details about the connection without any specific warnings related to HSTS policy violations. If it’s still enabled, you might see a message indicating that the site requires a secure connection and redirects to HTTPS.

Important Considerations

• Security Risk: Disabling HSTS makes your browser vulnerable to man-in-the-middle attacks. Only disable it if you understand the risks and have a specific reason.
• Temporary Solution: If you’re disabling HSTS for troubleshooting, re-enable it as soon as possible.
• Preloaded List: The network.http.stricttransportsecurity.preloadlist preference controls whether Firefox uses a list of websites that are known to enforce HSTS. Disabling this can also affect security.