2

Is it possible to disable HTTP Strict Transport Security in IE 11?

Example of why one would want to do this: A particular user group has filtered internet access through a proxy where only whitelisted domains and URLs are allowed. You want to allow access to http://www.xyzzy.com/hi/there but because the website uses HTTP Strict Transport Security users are being redirected to https://www.xyzzy.com/hi/there. In this situation, you'd be forced to allow access to all of https://www.xyzzy.com.

wrieedx
  • 700
  • 3
  • 11
  • 22
  • 1
    It's probably not a good idea as the website with HSTS will probably answer a 301 redirect on the http version to the https. So exept if the proxy do a full man-in-the-middle with sslstrip, getting rid of HSTS will be useless. – Tom Apr 20 '16 at 08:55

1 Answers1

1

Yes. This page, which was prominent in Google when I typed in your thread title, tells you how.

However, this doesn't sound like a good idea. You may be better off getting better blocking software that lets you block by protocol as well as domain name.

This is in a code block, sorry, formatting it properly takes ages. Look at the linked page for formatting.

For x86-based systems

Click Start, click Run, type regedit, and then click OK.
Locate the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\
On the Edit menu, point to New, and then click Key.
Type FEATURE_DISABLE_HSTS, and then press Enter.
Click FEATURE_DISABLE_HSTS.
On the Edit menu, point to New, and then click DWORD value.
Type iexplore.exe.
On the Edit menu, click Modify
In the Value data box, type 1, and then click OK.

For x86-based systems

Click Start, click Run, type regedit, and then click OK.
Locate the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\
On the Edit menu, point to New, and then click Key.
Type FEATURE_DISABLE_HSTS, and then press Enter.
Click FEATURE_DISABLE_HSTS.
On the Edit menu, point to New, and then click DWORD value.
Type iexplore.exe.
On the Edit menu, click Modify
In the Value data box, type 1, and then click OK.

Note The valid values for the iexplore.exe subkey are 0 and 1. A value of 1 disables the feature, and 0 enables the feature.
Exit Registry Editor.

For x64-based systems
Click Start, click Run, type regedit, and then click OK.
Locate the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\
On the Edit menu, point to New, and then click Key.
Type FEATURE_DISABLE_HSTS, and then press Enter.
Click FEATURE_DISABLE_HSTS.
On the Edit menu, point to New, and then click DWORD value.
Type iexplore.exe.
On the Edit menu, click Modify
In the Value data box, type 1, and then click OK.

Note The valid values for the iexplore.exe subkey are 0 and 1. A value of 1 disables the feature, and 0 enables the feature.
Locate the following registry subkey: 

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\
On the Edit menu, point to New, and then click Key.
Type FEATURE_DISABLE_HSTS, and then press Enter.
Click FEATURE_DISABLE_HSTS.
On the Edit menu, point to New, and then click DWORD value.
Type iexplore.exe.
On the Edit menu, click Modify.
In the Value data box, type 1, and then click OK.

Note The valid values for the iexplore.exe subkey are 0 and 1. A value of 1 disables the feature, and 0 enables the feature.
Exit Registry Editor.
Tim
  • 30,383
  • 6
  • 47
  • 77
  • I tried the above suggestion and I was still being switched over to https. So I tried a packet capture, and just as mentioned in a comment above by Tom, I was able to verify that indeed I was being HTTP redirected to the https version of the site. So in short, I'm not sure if the setting to disable HTTP Strict Transport Security worked or not, but for this particular website even if the setting did work it was rendered meaningless by the HTTP redirect. – wrieedx Apr 22 '16 at 02:41
  • @wrieedx that was the point of my comment. – Tom Apr 25 '16 at 14:24