Can I disable HSTS for testing?

In Chrome: chrome://net-internals/#hsts → Delete domain security policies. In production, you cannot — and you shouldn’t want to. HSTS is a security feature, not a bug.

How do I get on the HSTS preload list?

Submit at hstspreload.org. Requires max-age ≥ 31536000, includeSubDomains, preload directive, and HTTPS for the apex + all subdomains. Once preloaded, the policy is shipped in browsers — irreversible without a months-long removal process.

headers error

HSTS error: Resource blocked because the host requires HTTPS

The error

GET http://api.yoursite.com/data net::ERR_CONNECTION_REFUSED — strict-transport-security upgrade-required.

What it means

A previous response from this host included Strict-Transport-Security, so your browser remembers to never speak HTTP to it. Your code requested an http:// URL, which is now impossible.

HSTS pins HTTPS for the host. Once the browser has seen the HSTS header, it auto-upgrades any future http:// request to https:// for that host (or refuses, depending on includeSubDomains and the request type).

The fix

Audit your code for http:// URLs

// Search across the codebase:
//   git grep -n "http://"
// Replace each with https:// or, when proxying, with a relative path.

// Specific: fetch('http://api.example.com') → fetch('https://api.example.com')
// Specific: <img src="http://..."> → <img src="https://...">

Also check

Common adjacent root causes when the obvious fix doesn’t work.

01Is the source HTTP URL hardcoded in a CMS field, environment variable, or database row? Search those too.
02Are you developing locally against an HTTP server? Don’t deploy with localhost or http:// URLs in production env vars.
03Is the destination behind a proxy that handles redirects? Even so, browsers won’t make the initial HTTP request when HSTS is in effect.

Scan for related issues

This error is in our headers scanner. Run a free scan to find what else is misconfigured in the same area.

FAQ

Frequently asked questions

Can I disable HSTS for testing?: In Chrome: chrome://net-internals/#hsts → Delete domain security policies. In production, you cannot — and you shouldn’t want to. HSTS is a security feature, not a bug.
How do I get on the HSTS preload list?: Submit at hstspreload.org. Requires max-age ≥ 31536000, includeSubDomains, preload directive, and HTTPS for the apex + all subdomains. Once preloaded, the policy is shipped in browsers — irreversible without a months-long removal process.

Related fixes

Tighten this area further

Missing HSTS header

HSTS tells browsers to always use HTTPS for your site. Without it, users can be downgraded to HTTP and have sessions stolen. Here is how to add HSTS on Vercel, Next.js, and other hosts.

Mixed content warnings

Loading HTTP resources from an HTTPS page breaks the security guarantee. Browsers block most of it automatically now — here is how to fix the rest.

Background

Concepts

HTTP Strict Transport Security

HSTS is an HTTP response header that tells browsers to only connect to your site over HTTPS, even if a user types `http://`. It stops SSL stripping attacks.