Security5 min read

How to Fix an HSTS Error

An HSTS error appears when your browser refuses to load a site over HTTPS because the certificate is invalid or untrusted. Since HSTS prevents bypassing the warning, the only real fix is to correct the HTTPS configuration.

An HSTS error is a browser security block that cannot be dismissed with a "Proceed anyway" click. When a site has sent the Strict-Transport-Security header and then serves an invalid or expired certificate, the browser enforces HTTPS absolutely — it will not fall back to HTTP. The only way out is to fix the underlying certificate or HSTS configuration.

Cannot bypass this error

Unlike a standard SSL warning, an HSTS error cannot be bypassed by clicking “Proceed anyway”. The browser enforces the policy strictly. Fix the underlying certificate issue to resolve it.

What an HSTS Error Means

HTTP Strict Transport Security (HSTS) forces browsers to use HTTPS for a domain and, optionally, all its subdomains. When the TLS certificate is expired, mismatched, or missing a valid chain, browsers show errors such as NET::ERR_CERT_COMMON_NAME_INVALID or NET::ERR_CERT_DATE_INVALID and prevent access entirely.

The Strict-Transport-Security response header is the signal that tells browsers to apply this enforcement. Once a browser sees the header, it caches the policy for the duration of max-age.

Common Causes

  • Expired certificate — the certificate's validity window has passed.
  • Wrong hostname — the cert does not cover the domain or subdomain being visited.
  • Incomplete certificate chain — intermediate CA certificates are missing.
  • Misconfigured redirects — HTTPS traffic is routed to a different host with a different cert.
  • System clock issues — a wrong clock on the client device makes valid certs look expired.
  • TLS inspection — antivirus software, VPNs, or corporate proxies intercept and re-sign traffic.

Browser Error Codes Reference

Error CodeBrowserLikely Cause
NET::ERR_CERT_COMMON_NAME_INVALIDChrome / EdgeHostname mismatch
NET::ERR_CERT_DATE_INVALIDChrome / EdgeExpired or future-dated cert
SEC_ERROR_EXPIRED_CERTIFICATEFirefoxCertificate past expiry
ERR_SSL_PROTOCOL_ERRORChrome / EdgeTLS handshake failure
MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILEDFirefoxCertificate policy violation

Fixes for Visitors

  1. Check your system time. A wrong clock makes valid certificates appear expired. Sync your clock with the OS time settings.
  2. Disable VPNs or intercepting proxies. These can replace certificates and trigger HSTS errors on otherwise healthy sites.
  3. Try another network or browser. This isolates whether the issue is local (your device) or global (the server).
  4. Clear the HSTS policy (development / testing use only):
    • Chrome / Edge — visit chrome://net-internals/#hsts or edge://net-internals/#hsts and delete the domain security policy.
    • Firefox — clear site preferences or remove the domain from SiteSecurityServiceState.txt in your profile.
    • Safari — clear website data for the domain in Privacy settings.
  5. Contact the site owner. HSTS errors cannot be safely bypassed without fixing the server-side certificate.
Info

Clearing the HSTS policy in your browser only removes the cached policy on your device. If the server still sends an invalid certificate, the error will return immediately.

Fixes for Site Owners

  1. Renew or replace the TLS certificate and ensure it covers every hostname you serve, including www and any subdomains.
  2. Serve the full certificate chain. Include intermediate CA certificates in your server configuration — not just the end-entity certificate.
  3. Fix HTTPS redirects so they point to the correct domain and the certificate on that domain is valid.
  4. Review HSTS settings. Start with a small max-age (e.g. 300 seconds) and expand it only once HTTPS is stable across all hostnames.
  5. Check preload status. If your domain is on the HSTS preload list, removal requests take weeks. Ensure HTTPS is fully working before submitting.

Recommended HSTS Header

Once your certificate is valid and the chain is complete, set the following header on every HTTPS response:

http
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Nginx Configuration Example

nginx
server { listen 443 ssl http2; server_name example.com www.example.com; ssl_certificate /etc/ssl/certs/example.com.crt; ssl_certificate_key /etc/ssl/private/example.com.key; # HSTS — 1 year, all subdomains, preload-ready add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; }

Apache Configuration Example

apache
<VirtualHost *:443> ServerName example.com SSLEngine on SSLCertificateFile /etc/ssl/certs/example.com.crt SSLCertificateKeyFile /etc/ssl/private/example.com.key # HSTS header Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" </VirtualHost>
Start small

Begin with max-age=300 (5 minutes) while testing. Once you confirm that HTTPS works perfectly for every subdomain, increase to 31536000 (1 year) and add preload.

Validate the Fix

After updating your certificate and HSTS header, verify everything is correct:

Related Articles