I have implemented a simple static server like this in /etc/nginx/sites-available/default that will serve a bunch of files
server {
listen 80;
server_name www.x.app x.app;
root /usr/share/app/front-end/build;
location / {
index index.html;
autoindex on;
autoindex_exact_size off;
}
}
but when i browse http://www.x.app will immediately get redirected to https://www.x.app but i want to browse as http and i searched a lot and find out the Non-Authoritative-Reason: HSTS header that chrome gets ( that will redirect me using 307 Internal Redirect ) there is security occur because of "HSTS"
the answers said that use add_header Strict-Transport-Security "max-age=0"; in NginX Configurations but it didn't work
P.S.1: i cleared my chrome cache and also doesn't work
P.S.2:
Querying HSTS/PKP domain in chrome:
Found:
static_sts_domain: app
static_upgrade_mode: FORCE_HTTPS
static_sts_include_subdomains: true
static_sts_observed: 1613773712
static_pkp_domain:
static_pkp_include_subdomains:
static_pkp_observed:
static_spki_hashes:
dynamic_sts_domain:
dynamic_upgrade_mode: UNKNOWN
dynamic_sts_include_subdomains:
dynamic_sts_observed:
dynamic_sts_expiry:
When Google launched the .app top level domain they announced it will be only be available over HTTPS as it will have HSTS preloaded in Chrome’s (and other browsers) code, rather than depending on sites configuring it as such in their webserver a:
https://blog.google/technology/developers/introducing-app-more-secure-home-apps-web/
So you need to use another domain name if you do not want to use HTTPS. Note that .dev is in the same situation.