Suddenly users started getting an error message while trying to access customer hosted http site. Error “This site can’t be reached, abcd.com took too long to respond...” I was able to access the site using the IP though. I had no issue accessing the locally hosted http site using FQDN as well as IP. As soon as you type the URL http://abc.com/test.html, it redirected to https://abc.com/test.html. I believe all the browsers implemented the HSTS standard long time ago. Why I am seeing this in my environment now ? Maybe the domain that I am accessing is just included to the browser’s preload list.
HSTS stands for HTTP Strict Transport Security. It is a security feature that tells a web browser to only interact with a web server using a secure HTTPS connection. This means that if a website has HSTS enabled, the browser will automatically convert any insecure HTTP links to HTTPS when the user attempts to visit the website. HSTS can help protect against man-in-the-middle attacks and other forms of network surveillance.
Browsers maintain a list of all sites that are part of HTTP Strict Transport Security(HSTS) preload list. This is a list of sites that are hardcoded into the browsers as HTTPS only. You can check the domain’s HSTS preload status at https://hstspreload.org or submit domains to be included in the list. I found out site/domain that I was trying to access http was preloaded as HTTPS only. I could access the locally hosted site http because the domain is internal and not in the preloaded list.
Now, I googled to see if there is any way to bypass or disable HSTS I could not find one for Google Chrome or Microsoft Edge. No, I do not advise to do this if your accessing these sites on the public domain. Mine is strictly on the air-gapped environment.
I found out that I could disable the preloadlist in Firefox:
about:config
network.stricttransportsecurity.preloadlist false