I bought a domain from a stranger and it seems like he protected the domain with HSTS-preloading.
Is HSTS bound to the specific certificate which was used when HSTS was activated or can I just create a new cert for the domain and activate HSTS again via .htaccess?
Is removing HSTS a usable scenario? I read a lot of posts that removing HSTS isnt possible that easy.
HSTS or the Strict-Transport-Security header specifies that the site is only to be accessed over HTTPS. It does not specify anything about the certificate, so you can just buy a new certificate anywhere users will be able to visit your site over HTTPS.
There is another technique to limit which certificate can be used, HTTP Public Key Pinning (HPKP). If the previous owner did that, then you can only use the original certificate or a certificate from a specific CA.
In theory, HSTS can be disabled by specifying max-age=0 in the header. However, this header can only be served over HTTPS, so you will need HTTPS anyway to disable it.
HSTS is tied to the domain (and usually subdomains), not the certificate. includeSubDomains is included in the header if subdomains are included. However, for submission to the preload list this is required, so this will be the case with your domain.
I would recommend keeping HTTPS (see here). Therefore you should redirect HTTP to HTTPS and then continue setting the header for all HTTPS responses.
Whatever your wishes, you can update the header to set your own HSTS policy (use max-age=0 to remove HTTPS enforcement but note this must be set over HTTPS also) and then resubmit your site to the preload list for it to be updated.
If you remove HTTPS enforcement then unless your site is currently supporting HTTPS then nobody using a preload list supporting browser will be able to connect to it until your entry is updated and that browser version deployed.
So short answer is that it is possible to remove HSTS, but a) Why would you want to? and b) this will take a while and you will have to support HTTPS in the meantime.
