TL;DR Under certain circumstances you won’t be able to access an HTTPS site with invalid certificate from Chrome, unless you type a magic cheat code “thisisunsave“.

I was debugging a web site from the local network with a self-signed certificate. I couldn’t use letsencrypt, because the site is not available externally.

I received this error when trying to access it:

Apparently Chrome completely (well, almost completely) blocks down access to misconfigured sites that use HTTP Strict Transport Security, a.k.a. HSTS. For websites that don’t require HSTS, chrome would show "Proceed to {website} (unsafe) link in the “advanced” section, but for the websites with HSTS it says you cannot visit {website} right now, and there is no link to click on.

Yet, you still can proceed to the website by putting any item on the error page into focus, typing “thisisunsafe” (without quotes), and pressing ENTER.

For either kind of site, you can remove the exception by clicking on the “not secure” plaque at the top left and choosing “Turn on warnings”.

Chrome uses a complex algorithm to determine whether a web site requires HSTS. A web site may require it explicitly via a header, or it can be on a static preload list, or it can be deemed HSTS based on some dynamic rules. I never designated beta.ikriv.com as an HSTS web site, Chrome just decided that it is, on its own. It looks like ip-based URLs, e.g. https://192.168.0.10/something are NOT considered HSTS by default.

I am not sure what to think of it. On the one hand, protecting the Internet against bad certificates is good. On the other hand, I am afraid that if every application follows Chrome footsteps (everyone wants to be like Google, right?), we will be force to remember a ton of cheat codes like this, and it would not be nice.