Firefox HSTS Settings store

2015-10-31 by romanb firefox, hacks, https

So I've set HSTS on whole domain with subdomains, preloaded, cosmic max-age, like:

Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"

And now Firefox forces HTTPS on every subdomain. Even if I enter http:// directly into address bar.

Changing HSTS to:

Strict-Transport-Security "max-age=3600"

doesn't help because previous one is somehow cached for very long time.

Clearing cache and history doesnt help either, firefox still stores it somewhere. On clear profile everything is working OK.

So there is this file in your Firefox profile directory called SiteSecurityServiceState.txt.

Turn off Firefox so there's nothing using your profile directory and edit that file, remove your site from cache.