Can HSTS be disabled in Firefox?

Question

For pentesting/VA, it is, of course, imperative to always be able to see the HTTP site of a target. If present, HSTS conflicts with this need.

Without using a proxy to address the problem (e.g. Burp), is it possible to natively disable HSTS in Firefox?

I doubt it. It would run counter to [the *No User Resource*](https://tools.ietf.org/html/rfc6797#section-12.1) desire in the HSTS standard. — user, Oct 09 '15 at 12:41
Out of curiosity, why the "without using a proxy" requirement? Web pentesting without an intercepting proxy would be like trying to write code in Notepad; you could technically do it, but you'd be wasting far more of your time than it would take do download a minimally-proper tool for the task. HSTS can be easily bypassed or suppressed (set the max-age to 0) in a proxy. — CBHacking, Oct 09 '15 at 19:05
This is a pure Firefox question, not an InfoSec question. I'd ask over on Firefox forums. — schroeder, Oct 09 '15 at 20:57
@CBHacking "without a proxy" is no requirement of mine; it was just a way to avoid getting answers that say "you could do this in your proxy". I was simply interested as to whether anyone knew if it could be switched off in the browser. — Cheekysoft, Oct 12 '15 at 14:02
@MichaelKjörling, "No User Resource" refers to "should not be presented with a **dialog**". But we ain't talking about dialogs here, shouldn't the browser provide at least some obscure settings for testers who wish to disable it? — Pacerier, Nov 06 '15 at 09:36
Introducing the variable "test.currentTimeOffsetSeconds" did not work — , Dec 21 '15 at 22:07
Use Pale Moon. It allows you to override certificate errors for HSTS-enabled sites like normal. — linuxrocks123, Apr 20 '17 at 02:57

score 36 · Answer 1 · edited Sep 08 '20 at 14:26

Type about:support in firefox
Click Profile Folder | Open Folder which should open your profile folder.
Find file called SiteSecurityServiceState.txt and open it
Find the entry for your site url and remove it. Entry would looks something like - github.com:HSTS 120 17242 1521194647604,1,1
Make sure for above firefox is closed so that it does not overwrite it.

Firefox stores HSTS entries in this file with their expiration periods. Removing this entry should allow you to hit http url. TO further prevent it you can probably change permission of this file to read only.

More details - Understanding HTTP Strict Transport Security (HSTS)

NOTE : This will not work for well known sites like google as those lists are preloaded by browsers. Works fine for others. See above link for details.

A bit clunky but I can confirm this works in Firefox 79. – user1258361 Dec 04 '20 at 18:46 — user1258361, Dec 04 '20 at 18:46

score 26 · Answer 2 · answered Oct 09 '15 at 18:43

26

According to several forums, you can disable HSTS by introducing a new configuration variable. First, go to the Firefox configuration page (about:config), right-click, choose "New Integer", then provide the name "test.currentTimeOffsetSeconds" (no quotes) with a value of 11491200. This should bypass HSTS, although you may also need to clear the Cache and Active Logins in the Clear Recent History dialog (Ctrl-Shift-Del).

This apparently works because of a function called GetPreloadListEntry that checks to see if the current time is less than the next list expiration time; since the time is effectively calculated to be later than the expiration time, no check is performed. This effectively disables HSTS checks.

answered Oct 09 '15 at 18:43

phyrfox

5,724
20
24

This does not work on Firefox 45.0.2 for Mac. Check is not disabled. – MST May 31 '16 at 17:51
Doesn't work on Linux with failfox 46.0 – Super-intelligent Shade Jun 05 '16 at 20:38
1

Works in Firefox 47.0 in Windows if "Forget About This Site" is also used. – Neurotransmitter Jul 11 '16 at 10:36
Doesn't work on Linux with Firefox 49.0, even if "Forget About This Site" is also used. – LegionMammal978 Nov 22 '16 at 18:27
1

It does work on Linux with Firefox 51.0.1. To "Forget About This Site" press "Ctrl+h", search for the domain you want to forget (perhaps you need to do that not only on "example.com" but also on "a.example.com", "b.example.com" etc), right-click and select "Forget ..." on all the matches. Maybe you will also require restart. – derenio Feb 27 '17 at 11:20
working for me in Firefox Quantum 59.0.2 ! – Henrique de Sousa Apr 04 '18 at 16:09
In FF 69.03 x64 on Windows 7, I had to do the following for this to work: 1) The time offset thing mentioned in this answer. 2) Setting network.stricttransportsecurity.preloadlist to false as mentioned in the answer below (https://security.stackexchange.com/a/195679/55040). And 3) Clear all my browser cache, history, and restart the browser. – Jordan Rieger Oct 16 '19 at 18:19

score 24 · Answer 3 · edited Jun 23 '20 at 14:32

24

I was able to disable it by setting network.stricttransportsecurity.preloadlist to false in about:config

Then, to see the add exception button you may need to refresh the cache doing the 5 steps listed here: https://security.stackexchange.com/a/154176

edited Jun 23 '20 at 14:32

Community

1

answered Oct 14 '18 at 04:24

Tobia

435
3
7

Does not work on 67.0.2+build2-0ubuntu0.16.04.1 – Willem Jun 17 '19 at 09:06
Works on FF 68.0. – harvzor Jul 18 '19 at 11:31
Tested on Firefox 67 and 68. Does not work. -1 – user1258361 Aug 15 '19 at 19:13
4

Works on Firefox 71, you might also want to remove the site from your history first by using the "Forget about this site" feature (from the History) – Romuald Brunet Dec 13 '19 at 19:16
Works on Linux - Firefox 71. No need to do anything else. – Stefanos Chrs Jan 07 '20 at 00:01
Didn't work for me on Linux Firefox 72. I tried clearing browser history and restarted Firefox after changing config but no luck – Miguel Mota Feb 10 '20 at 23:25
This did the trick for me! Since I have control over the proxy of the website, FF remembered the HSTS header, even when I removed it at the proxy level, it didn't bothered to check the header existence again. But when I set this flag it checked again, and then allow me to skip the self-signed cert. – JonnieJS Apr 30 '20 at 14:49
Works on FF 84 on Mac. No other solution worked for me there - even using new profile. – Martin Ždila Jan 13 '21 at 15:36
Worked for me in FF 91.9.0esr on Debian 11. – matmat Jun 15 '22 at 06:29

score 1 · Answer 4 · answered Dec 24 '18 at 11:56

1

If your scenario is that you've accidentally set HSTS on a site you're working on and need to clear it, "Forget about this site" does the trick.

answered Dec 24 '18 at 11:56

RomanSt

1,180
9
25

Can HSTS be disabled in Firefox?

4 Answers4