Disable HSTS

Disabling HSTS is a two-step process. You first let shoppers access your site using an insecure connection and then, stop your site from sending HSTS in the header.

If you simply disable the HSTS headers on your site, your site stops sending the HSTS requirement to browsers, but it's likely that many browsers have already received a max age from your site. A browser doesn't check your site's header again until the max age expires. The only time a browser checks your header is when you change the max age. Therefore, before disabling your site's HSTS headers, set the max age to 0, which lets customers access your site through an insecure connection.

The second step is to disable the HSTS headers. Before disabling, we recommend waiting the longest period of time that you have ever set your max age. For example, on April 1, you set the max age to one month. On April 5, you changed it to one week. Wait until May 1, one month after April 1, before disabling the headers.

  1. Select Administration > Sites > Embedded CDN Settings.
  2. Click Configure Zones.
  3. On the Crypto tab, set Max Age to 0. When the max age is 0, browsers drop the requirement that a connection is made through a secure connection.
  4. Wait the longest period that you've set your max age before disabling the HSTS headers.
  5. To disable the HSTS headers, click Enabled.
  6. Click Confirm.
X Privacy Update: We use cookies to make interactions with our websites and services easy and meaningful, to better understand how they are used. By continuing to use this site you are giving us your consent to do this. Privacy Policy.