How to edit the HSTS "max-age" directive in Chrome?
I want to test what happens, when the HSTS "max-age" directive expires and the user visits my web application.
I know that proper behavior would be that, since HSTS has expired, the browser is willing to request HTTP content. However, I would like to see this in action.
How can I manipulate the HSTS "max-age" attribute in Chrome (or some other browser)?
You can type chrome://net-internals/#hsts in the URL bar and view the current policy that exists for a domain.
You can also delete the policy though not if it is a "preloaded policy" which is hardcoded in Chrome source code and be aware that Chrome includes several top level domains like .dev in the preload list. Preloaded policies will show as static policy when you search for them in chrome://net-internals/#hsts.
So once you delete (assuming not preloaded) you should be able to visit the http version, though it will likely redirect you and then add HSTS back to the site. So make sure you include preserve log option if you are looking at these in Network tools so the original HTTP call is not overwritten by the redirect.
