HSTS Security Error — Browser Refuses to Connect and Cannot Add Exception
About HSTS Security Error
Fix browser HSTS error where a site with expired or invalid SSL certificate cannot be accessed because HSTS prevents adding a security exception. This guide covers everything you need to know about this topic, including common causes, step-by-step solutions, and answers to frequently asked questions.
Here are the key things to understand: HSTS (HTTP Strict Transport Security) tells browsers to always use HTTPS and never accept invalid certificates. When HSTS is active, browsers do not show an 'Accept Risk' or 'Proceed Anyway' option for certificate errors. HSTS is either sent via HTTP header or hardcoded in the browser (HSTS preload list). The policy persists for the duration of the max-age value (often 1 year) even after clearing browser data. This is a security feature designed to prevent man-in-the-middle attacks. Understanding these fundamentals will help you diagnose and resolve this issue more effectively.
The most common reasons this occurs include: Website SSL certificate expired but HSTS prevents bypassing the certificate error. Development environment using self-signed certificate on a domain with HSTS enabled. Site previously set a long HSTS max-age and now has SSL issues. Domain on the HSTS preload list cannot be accessed with any certificate issues. Identifying the root cause is the first step toward finding the right solution.
To resolve this, follow these recommended steps: Fix the SSL certificate on the server — this is the proper solution for HSTS certificate errors. Chrome: clear HSTS for the domain at chrome://net-internals/#hsts > Delete domain security policies. Firefox: close Firefox, edit SiteSecurityServiceState.txt in profile folder, remove the domain entry. For development: use a different domain for dev (e.g., dev.example.local) that does not have HSTS. If on the preload list: you must fix the certificate; there is no way to bypass preloaded HSTS. If these steps do not resolve the issue, consider consulting additional resources or a qualified professional.
This article is part of our Browser Errors collection on Error Codes Wiki. We provide comprehensive, up-to-date information to help you find solutions quickly.
Quick Answer
Why can I not click 'Accept Risk' like with other certificate errors?
HSTS specifically prevents this. Its purpose is to ensure the connection is always encrypted with a valid certificate. Allowing an exception would defeat the entire purpose of HSTS and expose users to potential attacks.
Overview
Fix browser HSTS error where a site with expired or invalid SSL certificate cannot be accessed because HSTS prevents adding a security exception.
Key Details
- HSTS (HTTP Strict Transport Security) tells browsers to always use HTTPS and never accept invalid certificates
- When HSTS is active, browsers do not show an 'Accept Risk' or 'Proceed Anyway' option for certificate errors
- HSTS is either sent via HTTP header or hardcoded in the browser (HSTS preload list)
- The policy persists for the duration of the max-age value (often 1 year) even after clearing browser data
- This is a security feature designed to prevent man-in-the-middle attacks
Common Causes
- Website SSL certificate expired but HSTS prevents bypassing the certificate error
- Development environment using self-signed certificate on a domain with HSTS enabled
- Site previously set a long HSTS max-age and now has SSL issues
- Domain on the HSTS preload list cannot be accessed with any certificate issues
Steps
- 1Fix the SSL certificate on the server — this is the proper solution for HSTS certificate errors
- 2Chrome: clear HSTS for the domain at chrome://net-internals/#hsts > Delete domain security policies
- 3Firefox: close Firefox, edit SiteSecurityServiceState.txt in profile folder, remove the domain entry
- 4For development: use a different domain for dev (e.g., dev.example.local) that does not have HSTS
- 5If on the preload list: you must fix the certificate; there is no way to bypass preloaded HSTS