I accidentally set the SECURE_HSTS_SECONDS value to a non-zero value on my local development server. The Chrome browser expectedly returned an ERR_SSL_PROTOCOL_ERROR. I set the SECURE_HSTS_SECONDS value to zero, cleared the cache, and reset the HSTS policies by visiting chrome://net-internals/#hsts. It was still returning the same error.
I then removed the SECURE_HSTS_SECONDS from the settings file and reset everything just as I did before, and the error was gone. When I add the SECURE_HSTS_SECONDS to the settings file again, regardless of the value being zero or non-zero, the issue resurfaces. Did I misunderstand how it all works?
Is your local server being accessed on the browser via HTTPS? Because normally you access the local server via HTTP. And this setting should only be defined on a HTTPS environment.
Yes I understand that. But I accidentally set those variables in my local environment. But I did remove it as I have mentioned but the issue persists.
I ran into the same ERR_SSL_PROTOCOL_ERROR when testing HSTS settings locally. The issue is that once HSTS is enabled for a domain, Chrome forces HTTPS, no matter what value you later set for SECURE_HSTS_SECONDS. Even setting it to 0 doesn’t instantly remove the rule the browser still expects a valid HTTPS setup. That’s why the error keeps coming back whenever the header is present. The fix is either to clear the HSTS entry completely chrome://net-internals/#hsts and avoid sending the header during local dev, or use a different test domain. On production, it works fine once you have a proper SSL cert in place. Hope it helps!