How to work with Strict Transport Security (HSTS) with JMeter

Question

How to work with Strict Transport Security (HSTS) with JMeter

I am trying to record traffic from a website that uses HTTP Strict Transport Security (HSTS). As a result, it is not possible to add a certificate exception. This means that I cannot record the session.

Does anyone know how I can handle this?

+4

jmeter hsts

ratsstack 06 jul. 15 at 3:02

source to share

2 answers

Websites using HSTS will not allow you to add a server exception. What you can do is configure your browser to allow / bypass the HSTS policy. Here's what you can do in Firefox case -

Enter about:support

into your browser to open the troubleshooting information page. (Alternatively, select Troubleshooting Information from the Help menu).
Navigate to the "Profile Folder" row in the table shown on the page and click the "Open Folder" button.
This will open a new browser window for the firefox profile directory. With this browser window open, close / close Firefox.
Open the file SiteSecurityServiceState.txt

and remove any lines containing your server name SiteSecurityServiceState.txt

you need to access. Save this file.

After that, when you start firefox, it will ignore the HSTS limitation.

Source: Mozilla Support

Alternative solution is to use JMeter Chrome plugin - BlazeMeter

0

shashi009 22 May '19 at 13:30

source to share

UBIK LOAD PACK · Accepted Answer · 2015-07-06T06:38:19+0000

You have the option to use HAR for jmeter:

https://blog.flood.io/convert-har-files-to-jmeter-test-plans/

But showing your mistake can help

How to work with Strict Transport Security (HSTS) with JMeter

More articles: