Stop HSTS HTTPS Enforcement

Question

So I placed this in my Global.asax.cs to enforce HTTPS using HSTS

protected void Application_BeginRequest(Object sender, EventArgs e)
{
      if (!Request.IsLocal && AppSettings.IsSSLEnforced)
      {
          switch (Request.Url.Scheme)
          {
             case "https":
                 Response.AddHeader("Strict-Transport-Security", "max-age=300");
                 break;
             case "http":
                 var path = "https://" + Request.Url.Host + Request.Url.PathAndQuery;
                 Response.Status = "301 Moved Permanently";
                 Response.AddHeader("Location", path);
                 break;
           }
       }
}

Now, the problem is that this enforcement is based off of a setting in my App that decides whether it is enforced or not, and when it is set to not enforce, it still is enforcing. How do I get it to clear and stop redirecting?

I tried adding an else in which I put

Response.AddHeader("Strict-Transport-Security", "max-age=0");

Setting max-age to 0 did not work. How do I remove it? It also seems like the max-age isn't working (I am using chrome) as it has been way more than 300 seconds (5 mins)

EDIT: I have now tried loading in IE and it does not do the redirect, I tried going into chrome settings and deleting the entry and still nothing.

Answer 1

Once you sent HSTS header to the user's browser it will always use https. It is specified per domain and optionally plus subdomains.

Once the browser visited your domain and received HSTS header, it will always use https (it's enforced). Now you can't unenforce it with server response.

So, it's better to add HSTS and redirect headers on a Web Application Firewall (WAF) level and only when all resources on your domain can be served via https.

https://www.chromium.org/hsts/ https://blog.cloudflare.com/enforce-web-policy-with-hypertext-strict-transport-security-hsts/