Once a browser or client is presented with the HSTS policy, it caches the information for the specified max-age period. During that period, the browser will refuse to access the web service over unencrypted HTTP, and will refuse to grant exceptions to certificate errors.

If the includeSubDomains parameter was specified for an HSTS policy, these restrictions will also apply to all subdomains of the current domain.

It’s practically impossible to back out an HSTS policy. When you test HSTS, use a very short max-age timeout and ensure you’re comfortable with the effects and the obligation to maintain an HTTPS version of your site. When you first go live with your HSTS policy, keep max-age small and increase it only when you’re confident about doing so.

The cache time comes from the origin/site HSTS header, which is set with something like

Strict-Transport-Security: max-age=16070400; includeSubDomains; always;

This setting will continue to pass the HSTS header, unless it is disabled.

To disable HSTS for clients and wipe out their redirects use

Strict-Transport-Security: max-age=0;

Specifying a zero time duration signals the UA to delete the HSTS Policy (including any asserted includeSubDomains directive) for that HSTS Host.

Error code: “ssl_error_bad_cert_domain”.

If you see “I understand the risks”, follow those instructions. Otherwise:

1. Close all open tabs related to the site your are experiencing an issue with.
2. Clear your history by clicking the menu and selecting the circular clock icon labeled “History”.
3. Select the button that says “Clear Recent History”.
4. In the menu that appears next to “Time range to clear:” click the drop-down and select “Everything”.
5. Click “Clear Now” and close the menu.
6. In the address bar type about:permissions and press the Enter key.
7. On the top left hand side find the box with a magnifying glass with the text “Search Sites”. Click into the box and enter the name of the site you are experiencing issues with.
8. In the list directly beneath the search window click on the site name and then click the button in the top right hand corner labeled “Forget About This Site”.

Error message “Cannot connect to the real <domain name>.”

1. In the address bar, type chrome://net-internals/#hsts.
2. Type the domain name in the text field below “Delete domain”.
3. Click the “Delete” button.
4. Type the domain name in the text field below “Query domain”.
5. Click the “Query” button.
6. Your response should be “Not found”.

Error message “Cannot connect to the real <domain name>.”

1. In the address bar, type chrome://net-internals/#hsts.
2. Type the domain name in the text field below “Delete domain”.
3. Click the “Delete” button.
4. Type the domain name in the text field below “Query domain”.
5. Click the “Query” button.
6. Your response should be “Not found”.

1. Close Safari.
2. Delete the ~/Library/Cookies/HSTS.plist file.
3. Reopen Safari