HSTS preventing access to a subdomain mapped to localhost using hosts and using self-signed certificate
I am using CRA (Create React App) and am binding it to local.example.com:443 using the following .env file:
HOST=local.example.com
PORT=443
HTTPS=true
This ensures that when I run the CRA scaffold, it attempts to bind to local.example.com:443 and a self-signed certificate is issued. I can accept the self-signed in the browser and have an HTTPS-enabled local site. HTTPS is a necessity for some things, such as Secure cookies etc., so I need it for local development as well as the remote deployment. Also, proxy can be set to example.com so that the local frontend uses the remote backend in testing, which is another motivation for this setup.
This works when the host name (example.com) doesn't have HSTS, but when it does, the un-accepted self-signed certificate which CRA creates, is rejected. The certificate gets created for localhost, that's the first problem, because example.com's HSTS needs the certificate to be issued for example.com to be valid. Firefox:
Firefox does not trust this site because it uses a certificate that is not valid for local.example.com. The certificate is only valid for the following names: localhost, localhost.localdomain, lvh.me, *.lvh.me, [::1], 127.0.0.1, fe80::1
But on top of it, since it is a self-signed certificate, the browser will reject it unless the user accepts it first, which is possible to do without HSTS, because the warning page about a self-signed certificate allows one to do it, but with HSTS, a different warning page is shown (the one showing the error quoted above), which says HSTS won't allow the navigation to go through and you're toast.
In Chrome, it is possible to ignore HSTS by typing letmein on the HSTS warning page, which works, but it is not a solution in Firefox and I wonder if there is a better way.
Can CRA issue the certificate so that it appears as if it was issued for example.com so that example.com's HSTS accepts it? I assume there would still be a problem with it being self-signed, but if this is possible, maybe the warning page about self-signed certificate will be shown instead nad the user will be able to accept the certificate and carry on?
To "bypass" HSTS locally, you have to generate a valid certificate for your local domain.
The minimal setup would be to generate a self-signed certificate with correct CN and SAN.
You can achieve this even for a website you don't own. The first website that I found that has HSTS with includeSubDomains directive is www.amazon.com.
So I tested a CRA running on local.www.amazon.com.
For that I generated a private key and certificate with the following command:
openssl req \
-x509 \
-newkey rsa:4096 \
-sha256 \
-days 90 \
-nodes \
-keyout noca.local.www.amazon.com.key \
-out noca.local.www.amazon.com.crt \
-subj '/CN=local.www.amazon.com' \
-extensions san \
-config <( \
echo '[req]'; \
echo 'distinguished_name=req'; \
echo '[san]'; \
echo 'subjectAltName=DNS:local.www.amazon.com')
My .env file looks like this:
HOST=local.www.amazon.com
PORT=5000
HTTPS=true
SSL_CRT_FILE=noca.local.www.amazon.com.crt
SSL_KEY_FILE=noca.local.www.amazon.com.key
I open the crt file with the Keychain (I'm on Mac) and trusted it. You can do that differently on other platforms.
You will also have to edit the hosts file (/etc/hosts for me) and add the following line:
127.0.0.1 local.www.amazon.com
And here is the result:
EDIT 1:
If you have to do this for multiple websites you might want to create a local CA that you self-sign.
And then you will generate all your certificates with that CA.
The benefit will be that you will just have to trust the CA certificate once (in the keychain or in Chrome CA certificates or whatever is used to trust the certificates)
- How do I disable the security certificate check in Python requests
- POST call using https.request returns 408
- Your connection is not private NET::ERR_CERT_COMMON_NAME_INVALID
- UEFI Application: Unable to fetch the body of Http GET request
- How do I generate the correct TOTP with Node with correct Headers and SHA512 hashed Token?
- SSL handshake failure in Java Agent (in HCL Notes 14)
- Debugging HTTP traffic originating from npm install using Fiddler
- Resolving javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed Error?
- Experimental HTTPS in Next.JS doesn't work if I run dev from a external HD
- How to configure Pentaho Carte to accept HTTPS request instead of HTTP
- SSL and aiohttp: disable SSL verification do not work on python 3.12
- How to setup local environment to run on https
- Configuring HTTPS for Express and Nginx
- Strict-Transport-Security max-age not updating to 31536000 in ASP.NET Core application
- How do I make my JavaScript know the index number of the post I want to delete?
- How to change http/https Protocol while using relative URL
- Certificate error invoking gRPC service with HTTPS under .Net 5: UntrustedRoot
- How can I use HTTPS / SSL with Kestrel in ASP.NET Core 2.x?
- docker pull tries to talk http to registry that only understands https
- Using the 'integrity' attribute for script tags while avoiding CORS errors over the file-uri protocol
- How to correctly force SSL on WordPress via wp-config.php?
- Why do I get "The account does not have permission to access this resource" error when logging in to Bitbucket Cloud from XCode?
- Is it safe to use multiple listeners (HTTP and HTTPS) for a server with the default ServeMux in Go?
- Certbot failed to authenticate some domains (authenticator: apache). Failed to verify the temporary Apache configuration changes
- How can we run a FastAPI application on two ports one HTTP and one HTTPS without redirecting?
- OpenAS2 AS2ReceiverHandler: HTTP connection error on inbound message
- java.net.SocketException - NanoHTTPD (https) - Android
- You're accessing the development server over HTTPS, but it only supports HTTP. code 400, message Bad request syntax
- How to set up HTTPS for Rasa chatbot?
- Issues with installing python libraries on Windows : CondaHTTPError: HTTP 000 CONNECTION FAILED for url <https://conda.anaconda.org/anaconda/win-64