Disable HSTS for self-signed?

A self-signed cert on the locaal development server gives you a lot of errors in the Console, like:
Strict-Transport-Security: The connection to the site is untrustworthy, so the specified header was ignored.
I tried to disable HSTS according to the docs with hsts_max_age: 0, but that doesn’t seem to work? Still shows the same errors after reprovisioning.

Or maybe the SSL config just isn’t updated when you reprovision with added hsts_max_age: 0?

I tried hsts_max_age: 0 but the security errors remain (in Firefox console that is). HSTS doesn’t make much sense with a self-signed cert, does it? Maybe it would be better to completely disable HSTS for self-signed?

Did you get anywhere with this? I’m getting dozens of these warnings filling up my console every time I reload the page on my development environment. I can filter them out, but I’m not satisfied. I’ve set hsts_max_age: 0 and my provider: self-signed .

No. I turned off the warnings in the console. As I said, I guess HSTS should be completely disabled for self-signed. I’ll try to figure it out, when I have some time.

FYI: I just added a small PR for that:

1 Like