Disabling HSTS for localhost using a browser extension

 
 
  • Gérald Barré
 

Http Strict Transport Security (HSTS) is a security mechanism that instructs the browser to automatically redirect http requests to https before sending a request to the server. When you are developing a web application, you should disable HSTS for localhost. This is because enabling HSTS on localhost has implications for other applications. For instance, some applications start a local web server and open a browser. If a website enables HSTS on localhost once, other applications won't work if they are not listening on https.

In a previous post, I explained how to disable HSTS for localhost on Chromium-based browsers or how to use another domain for localhost development. However, these solutions are manual. I recently discovered a better solution: using a browser extension!

Eric Lawrence, author of Fiddler, created a browser extension called "No Local HSTS" that disables HSTS for localhost. The idea of this extension is to add the header Strict-Transport-Security: max-age=0 to the response when the browser requests a page from localhost. This way, the browser won't remember the HSTS policy for localhost.

Note that the extension only works for localhost. If you use an IP address such as 127.0.0.1 or [::1], the extension won't work. However, you can fork the code and add all the domains you want to the extension.

It's also interesting to see how easy it is to create a browser extension. This extension contains no code, only a json file with the response rewrite rules, and the manifest file.

If you want to test that the extension is working correctly, you can create a small web server in .NET:

C#
var builder = WebApplication.CreateBuilder();
builder.WebHost.UseUrls("http://localhost:5000", "https://localhost:5001");
var app = builder.Build();
app.Use(next =>
{
    return context =>
    {
        if (context.Request.IsHttps)
        {
            context.Response.Headers.StrictTransportSecurity = new("max-age=3600");
        }
        return next(context);
    };
});
app.MapGet("/", () => "Hello");
app.Run();

Then, you can open the browser and navigate to https://localhost:5001/, and then to http://localhost:5000/. The browser should not automatically redirect to https.

Note that if HSTS was already enabled for localhost, you'll need to manually disable it as explained in this previous post.

Do you have a question or a suggestion about this post? Contact me!

Follow me:
Enjoy this blog?Buy Me A Coffee💖 Sponsor on GitHub