Accessing HSTS websites using Fiddler. Yes, it can be done!

The other day I came across a StackOverflow comment so valuable (and, unfortunately NOT marked as the answer), I had to share.

First, a little context: I was debugging a webapp and popped open Fiddler to check some HTTP requests. Unfortunately, the site uses HSTS (HTTP Strict Transport Security) and was greeted with Chrome’s warning page letting me know that I couldn’t view the site.

HSTS prevents man-in-the-middle shenanigans, which was currently being introduced by Fiddler’s SSL cert

I went over to StackOverflow to see if there was a way around it, and of course they have HSTS enabled as well. Not a big deal; hitting F12 will stop Fiddler from interfering, and I was on my way…and that’s when I saw this beauty – tucked away with 68 upvotes.

While sitting at the Chrome warning screen, you literally type thisisunsafe (or whatever the Chrome devs have changed it to most recently; hit the Stack Overflow page to see the latest). I thought for sure I was getting trolled by some Konami code BS, but I typed it in anyway, and holy hell the page appeared!

One Reply to “Accessing HSTS websites using Fiddler. Yes, it can be done!”

  1. Pieter Temmerman says: Reply

    Thanks a lot for this!

Leave a Reply