How to Fix an HSTS Error

An HSTS error appears when your browser refuses to load a site over HTTPS because the certificate is invalid. Since the site has enabled Strict-Transport-Security, browsers block bypassing the warning. The only real fix is to correct the HTTPS configuration.

What an HSTS Error Means

HSTS forces HTTPS for a domain and sometimes its subdomains. If the TLS certificate is expired, mismatched, or missing a valid chain, browsers show errors like NET::ERR_CERT_COMMON_NAME_INVALID or NET::ERR_CERT_DATE_INVALIDand prevent access.

Common Causes

• Expired certificate or a certificate not yet valid.
• Wrong hostname (certificate doesn’t match the domain or subdomain).
• Incomplete certificate chain missing the intermediate CA.
• Misconfigured redirects sending HTTPS traffic to the wrong host.
• System clock issues on the client device.
• TLS inspection by antivirus, VPNs, or corporate proxies.

Fixes for Visitors

1. Check your system time. A wrong clock can make valid certificates appear expired.
2. Disable VPNs or intercepting proxies. These can replace certificates and trigger HSTS errors.
3. Try another network or browser. This helps confirm if the issue is local.
4. Clear the HSTS policy (development use only).
   • Chrome/Edge: visit chrome://net-internals/#hsts or edge://net-internals/#hsts and delete the domain security policy.
   • Firefox: clear site preferences or remove the domain from the profile’s SiteSecurityServiceState.txt.
   • Safari: clear website data for the domain.
5. Contact the site owner. HSTS errors can’t be bypassed safely without fixing the site.

Fixes for Site Owners

1. Renew or replace the TLS certificate and ensure it covers every hostname you serve.
2. Serve the full certificate chain (including intermediate certificates).
3. Fix HTTPS redirects so they point to the correct domain and certificate.
4. Review HSTS settings.Start with a smaller max-age and add includeSubDomains only when all subdomains are HTTPS-ready.
5. Check preload status.If your site is on the preload list, remove it only after your HTTPS configuration is stable.

Recommended HSTS Header

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Validate the Fix

• SSL Checker to confirm certificate validity.
• HSTS Checker to verify Strict-Transport-Security headers.
• HTTP Header Checker for full response inspection.
• Security Headers Scanner for overall header hygiene.

Key Takeaways

• HSTS errors mean the HTTPS certificate is invalid and cannot be bypassed.
• Fix the certificate or chain, then verify redirects and headers.
• Use shorter HSTS max-age values until every subdomain is fully HTTPS-ready.