: Removal from HSTS preload list? A client has moved their website to another provider who does not support secure (HTTPS) browsing. The previous site was served over HTTPS and sent HSTS headers

@Martha676

The idea with HSTS is that you make sure that HTTPS is even enforced and thus the user is protected against attacks like sslstrip which try to downgrade the connection of the user to insecure HTTP.

This means using any of this options shows a huge commitment to the security of the user and that you probably have sensitive data to protect. Insofar it is very strange that your client now feels that SSL is not needed any more.

But, to get back to connections with no SSL the client must wait until the time specified in the HSTS max-age attribute is over. And with preloaded HSTS it must first make sure that the entry is removed from the browsers code itself (i.e contact the developers) and then must wait until everybody upgraded the browser to the newer version which does have the HSTS entry any longer. For all the time the client should better still be reachable by HTTPS. And this can take month. From hstspreload.appspot.com/:


Be aware that inclusion in the preload list cannot really be undone. You can request to be removed, but it will take months for the deleted entry to reach users with a Chrome update and we cannot make guarantees about other browser vendors. Don't request inclusion unless you're sure that you can support HTTPS for the long term.

Vote Up Vote Down