HSTS Error Pages & Some Vulnerabilities
1. Problem Can not access to test server after setting HSTS header. Error pages are as below(※ in FireFox). ※ error message This site uses HTTP Strict Transport Security (HSTS) to specify that Firefox may only connect to it securely ※ error message 接続中止: 潜在的なセキュリティ問題 2. Why this happened Happened because SSL Certification is different between test server and production server in same domain(ex. www.sample.com) HSTS caching SSL certificate data HSTS enforce HTTPS(using SSL, prevent HTTP) and caching SSL certificate data. Within max-age time, browser has cached data. Same domain with different certificate data First, access to production server with HTTPS and caching SSL certificate data. Second, try to access test server(STG) with cached data but failed because SSL certificate data is different from production server and test server. 3. Solution Delete browser cache then access again. Or use same SSL certification in both test server and productio...