Moving my website to http but HSTS causing problems

Question

Previously my website was was using the https protocol with HSTS which will expire in 365 days. I have now changed my hosting and using github pages which does not provide https for the custom domains. Now the website is not opening in browsers of my users. What can i do for changing this behaviour without a server hosting and setting expiry of HSTS to zero. Is it possible via DNS or anything.

Answer 1

Github now supports HTTPS for gh-pages on custom domains. You may have to disable and re-enable your custom domain to make it work.

Answer 2

Nope. HSTS forces HTTPS until expiry so, short of getting all your users to remove the HSTS policy from their browsers, or hoping they have never visited your site so don’t have it cached, there is nothing you can do to allow HTTP only traffic.

So you need HTTPS. This involves either moving your site again, or sticking a CDN in front of it. Cloudflare for example offers a free plan including HTTPS that can be used to provide HTTPS in front of a HTTP-only site like GitHub. Some feel this is disingenuous to your visitors, as it will look like a HTTPS site but the last hop will be over unencrypted HTTP only, though, on the other hand, one of the main advantages of HTTPS is for the first hop between end users and a potentially dodgy WiFi end point.

HTTPS is increasingly becoming a must have, even for sites that previously haven’t considered the need for it, due to privacy concerns, browsers pushing for it and penalising those that don’t use it, features (HTTP/2, Brotli, Location... etc.) not being available on HTTP only sites, as a (currently weak) SEO ranking signal and to prevent some ISPs injecting ads and “helpful content” into your site when using their internet connection. I still can’t believe github don’t offer HTTPS on custom domains but, until they do, I’d avoid them and other hosting providers that do not offer this basic requirement of a site.