Skip to content

HSTS cache management in browsers

HSTS (HTTP Strict Transport Security) cache management involves the administrative and technical procedures for viewing, querying, and deleting the security policies that browsers store for specific domains.^[600-developer-tools-security-strict-transport-security.md]

When a server issues the Strict-Transport-Security header, the browser records this directive, ensuring all future requests to that domain are forced to use HTTPS for the duration defined by the max-age directive^[600-developer-tools-security-strict-transport-security.md]. This cached policy can interfere with local development environments that use HTTP or Self-signed certificates, making manual cache management a necessary skill for developers^[600-developer-tools-security-strict-transport-security.md].

Management by Browser

Different browsers store HSTS data in different ways, requiring specific procedures to clear the cache.

Chrome (and Chromium-based)

Chrome provides a dedicated internal interface to manage the HSTS cache directly^[600-developer-tools-security-strict-transport-security.md].

  1. Navigate to chrome://net-internals/#hsts in the address bar^[600-developer-tools-security-strict-transport-security.md].
  2. Locate the Delete domain section^[600-developer-tools-security-strict-transport-security.md].
  3. Enter the project's domain name and click Delete^[600-developer-tools-security-strict-transport-security.md].
  4. Optionally, use the Query domain section to verify that the HSTS policy has been successfully removed^[600-developer-tools-security-strict-transport-security.md].

Note: The Opera browser utilizes the same method as Chrome^[600-developer-tools-security-strict-transport-security.md].

Safari

Safari stores HSTS policies in a configuration file on the filesystem. To clear the cache, the user must delete this file^[600-developer-tools-security-strict-transport-security.md].

  1. Quit Safari completely.^[600-developer-tools-security-strict-transport-security.md]
  2. Delete the file ~/Library/Cookies/HSTS.plist^[600-developer-tools-security-strict-transport-security.md].
  3. Restart Safari^[600-developer-tools-security-strict-transport-security.md].

In rare instances, a system restart may be required for the changes to take full effect^[600-developer-tools-security-strict-transport-security.md].

Firefox

Firefox does not offer a granular interface to delete HSTS data for a single domain. Instead, users must clear site-specific data, which removes permissions and cache entries, including HSTS policies^[600-developer-tools-security-strict-transport-security.md].

  1. Close all open tabs and windows^[600-developer-tools-security-strict-transport-security.md].
  2. Clear the browser's history and cache^[600-developer-tools-security-strict-transport-security.md].
  3. Navigate to about:permissions in the address bar^[600-developer-tools-security-strict-transport-security.md].
  4. Search for the specific domain in the list^[600-developer-tools-security-strict-transport-security.md].
  5. Click Forget About This Site^[600-developer-tools-security-strict-transport-security.md].

Sources

^[600-developer-tools-security-strict-transport-security.md]