Support
Support
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Allow firefox to bypass HSTS errors

KERR
Making moves
‎01-03-2022 04:13 PM
Status: New idea

Using this test website, Firefox offers no way to proceed past the HSTS error:

https://subdomain.preloaded-hsts.badssl.com/

KERR_2-1646179948211.png

 

Vivaldi allows you to continue by clicking a proceed:

KERR_1-1646179771430.png

 

Chrome and Edge allow you to proceed by typing "thisisunsafe"

KERR_0-1646179703168.png

It would be handy to let us bypass these warnings (at our own risk), similar to how we can add exceptions to sites with invalid certs. It's not a common use case, but coming across one of these means my only option is to use Chrome/Edge/Vivaldi.

See more ideas labeled with:
Comment
61 Comments
aaronchantrill
Making moves
‎12-01-2026 11:56 AM
‎12-01-2026 11:56 AM

@mtrantalainen 

The site is *literally* configured to use encrypted connection with an option "Please, do not allow connection to the site unless a valid TLS certificate is provided." (also called HSTS) and when the site has invalid TLS certificate you think the browser should connect anyway? Despite the fact that the server has explicitly declared that the content on the site is too important to access without a valid certificate??

As I understand your point above, the data on the server is protected by HSTS policy, so since the server admins have said that the user must use a valid certificate, the user should not be allowed to access the precious data over a misconfigured connected because bad things might happen.

Unfortunately, server admins use HSTS as a way of saying "I don't want users to be able to access this server over port 80, even if they request the site that way and the webserver software is configured to allow them to do it." They are usually not thinking about what happens if someone screws up several years later and accidentally allows the certificate to expire, or forgets to add a domain to the SAN list.

Using an expired certificate or a certificate that does not match the domain is not the same as not using a certificate at all. Just because a certificate has expired does not mean that it stops working or is instantly compromised.

Usually, the data is the property of the user, not the server hosting it, so the user should be allowed to make the determination whether or not they want to accept the risk of accessing it. In cases where an employee is attempting to access protected data belonging to an employer over a misconfigured connection, company policy would determine whether they are allowed to bypass the certificate error.

For most users, putting up the standard scary warning about the certificate being invalid would be enough for them to contact their IT department. Most employees are delighted to be able to blame any missed deadlines that week on IT problems.

As others have pointed out, this is a problem that can be bypassed in Chrome and other Chromium-based browsers. From what I've seen, most of the remaining Firefox base are advanced users who value Mozilla for maintaining the Gecko engine and recognize that without Gecko, Alphabet gets total control of the world wide web. Infantalizing these users is telling them that Mozilla no longer values their patronage.

Copyright © 2026 Khoros, LLC