35

My question is about Firefox and Chrome.

Is there a possibility to see which sites have set the HSTS flag in my browser?

HorstKevin
  • 1,328
  • 2
  • 14
  • 27
  • For those on MacOS, the Firefox profile directories are under: `~/Library/Application\ Support/Firefox/Profiles` – Ajoy Bhatia Nov 08 '16 at 22:46

3 Answers3

39

Chrome:

  • Open Chrome
  • Type chrome://net-internals/#hsts in the address bar of chrome
  • Query domain: if it appears as a result, it is HSTS-enabled

Firefox:

  • Open file explorer
  • Copy and paste the following path into the address bar of your file explorer
    • On Windows: %APPDATA%\Mozilla\Firefox\Profiles\
    • On Linux: ~/.mozilla/firefox
    • On Mac: ~/Library/Application Support/Firefox/Profiles
  • Double click the folder you see (if you have multiple Firefox profiles, there will be multiple folders)
  • Open SiteSecurityServiceState.txt. This textfile contains sites that have enabled HSTS.
StackzOfZtuff
  • 17,783
  • 1
  • 50
  • 86
Michael
  • 5,393
  • 2
  • 32
  • 57
  • 1
    So, there is no list for Chrome, just the queries? – HorstKevin Jul 02 '15 at 18:28
  • 1
    Not as far as I know. You could take a look at the preloaded list: http://www.chromium.org/hsts – Michael Jul 02 '15 at 18:51
  • Yes, I know. But there are also sites which I visited which are not on the preload list. – HorstKevin Jul 03 '15 at 07:05
  • I don't recall if it was there in 2015, but since at least my oldest mothballed system (XP, yes I said XP, with Firefox 52.9 from 2018) the in-use profile directory is available in Help / Troubleshooting Information – dave_thompson_085 Aug 20 '21 at 00:39
5

There is a Firefox plug-in called PinPatrol that lists all sites (preloaded and visited) known to have HSTS support.

This is a Firefox extension that shows in a readable format, the state of HSTS and HPKP domains stored by the browser. Firefox does not have a native way to show these domains or this functionality documented.

schroeder
  • 123,438
  • 55
  • 284
  • 319
user126310
  • 51
  • 1
  • 1
1

You can find the full Chrome HSTS list in the Chromium source code file transport_security_state_static.json

Firefox uses the same list.

schroeder
  • 123,438
  • 55
  • 284
  • 319
H3V2
  • 11
  • 1