How do I clear HSTS in Chrome?

Go to chrome://net-internals/#hsts. In the 'Delete domain security policies' section, enter the domain name and click Delete. This clears the dynamically cached HSTS policy but cannot override preloaded domains.

Can I bypass preloaded HSTS?

No. Preloaded HSTS is compiled into the browser source code. You cannot override it with any browser settings. The only solution is to fix the SSL certificate on the server to be valid and trusted.

HSTS Security Error — Browser Refuses to Connect and Cannot Add Exception

Errorsecurity

Overview

Fix browser HSTS error where a site with expired or invalid SSL certificate cannot be accessed because HSTS prevents adding a security exception.

Key Details

HSTS (HTTP Strict Transport Security) tells browsers to always use HTTPS and never accept invalid certificates
When HSTS is active, browsers do not show an 'Accept Risk' or 'Proceed Anyway' option for certificate errors
HSTS is either sent via HTTP header or hardcoded in the browser (HSTS preload list)
The policy persists for the duration of the max-age value (often 1 year) even after clearing browser data
This is a security feature designed to prevent man-in-the-middle attacks

Common Causes

Website SSL certificate expired but HSTS prevents bypassing the certificate error
Development environment using self-signed certificate on a domain with HSTS enabled
Site previously set a long HSTS max-age and now has SSL issues
Domain on the HSTS preload list cannot be accessed with any certificate issues

Steps

1Fix the SSL certificate on the server — this is the proper solution for HSTS certificate errors
2Chrome: clear HSTS for the domain at chrome://net-internals/#hsts > Delete domain security policies
3Firefox: close Firefox, edit SiteSecurityServiceState.txt in profile folder, remove the domain entry
4For development: use a different domain for dev (e.g., dev.example.local) that does not have HSTS
5If on the preload list: you must fix the certificate; there is no way to bypass preloaded HSTS

More in Security

windows-defender-errorsWindows Defender Errors — Antivirus Not Working or Updating

Error

windows-error-0x80073b01-defender-serviceWindows Error 0x80073B01 — Windows Defender Service Failed to Start

Error

windows-bitlocker-recovery-key-errorsBitLocker Recovery Key Errors — Drive Locked and Recovery Key Not Found

Critical

mac-gatekeeper-app-blockedMac Gatekeeper — App Cannot Be Opened (Unidentified Developer)

Warning

mac-filevault-recovery-errorsMac FileVault Errors — Encryption, Decryption & Recovery Key Issues

Error

mac-keychain-errors-passwordsMac Keychain Errors — Password Prompts, Locked Keychain, and Repair Guide

Warning

Frequently Asked Questions

HSTS specifically prevents this. Its purpose is to ensure the connection is always encrypted with a valid certificate. Allowing an exception would defeat the entire purpose of HSTS and expose users to potential attacks.

HSTS Security Error — Browser Refuses to Connect and Cannot Add Exception

Overview

Key Details

Common Causes

Steps

Tags

More in Security

Frequently Asked Questions