Salesforce B2C Commerce 24.7 > Administering Your Organization > Site Preferences > Embedded CDN > Manage HSTS

Disable HSTS

Disabling HSTS is a two-step process. You first let shoppers access your site using an insecure connection and then, stop your site from sending HSTS in the header.

If you simply disable the HSTS headers on your site, your site stops sending the HSTS requirement to browsers, but it's likely that many browsers have already received a max age from your site. A browser doesn't check your site's header again until the max age expires. The only time a browser checks your header is when you change the max age. Therefore, before disabling your site's HSTS headers, set the max age to 0, which lets customers access your site through an insecure connection.

The second step is to disable the HSTS headers. Before disabling, we recommend waiting the longest period of time that you have ever set your max age. For example, on April 1, you set the max age to one month. On April 5, you changed it to one week. Wait until May 1, one month after April 1, before disabling the headers.

  1. Select Administration > Sites > Embedded CDN Settings.
  2. Click Configure Zones.
  3. On the Crypto tab, set Max Age to 0. When the max age is 0, browsers drop the requirement that a connection is made through a secure connection.
  4. Wait the longest period that you've set your max age before disabling the HSTS headers.
  5. To disable the HSTS headers, click Enabled.
  6. Click Confirm.
Related concepts
HTTPS / TLS

Infocenter Retirement: On June 30, 2023, the Infocenter was retired, and documentation currently hosted on the Infocenter will be published to Salesforce Help, Commerce Cloud Developer Center, and Salesforce B2C Commerce Developer Documentation Resources. For more information, see the release note.