Bypassing Github's HSTS & CSP in firefox
First thing you'll need is a proxy. I'll use my Local VM with apache2 here. At the time there is no firefox plugins that could modify the response header. So this is the only way to do it. ( or just compile your own browser )

If you want to be able to push to github. You have 2 options:
 - Create an alternative host that points to the original github
 - From the proxy server, port forward to github. ( Recommend to create a network interface that handles this domain )

Step 1 - Configure your proxy


Apache2 Config

<VirtualHost _default_:443>
	ServerName github.com

	SSLEngine on
	SSLCertificateFile    /home/penguin/github-bypass/cert.pem
	SSLCertificateKeyFile /home/penguin/github-bypass/key.pem

	# These 3 lines removes the unwanted headers from github
	Header unset Strict-Transport-Security
	Header unset Content-Security-Policy
	Header unset Public-Key-Pins

	SSLProxyEngine On
	SSLProxyCheckPeerCN on
	SSLProxyCheckPeerExpire on

	<Location />
		ProxyPass https://github.com/ nocanon
		# ProxyPreserveHost On
		# ProxyPassReverseCookieDomain 10.0.0.208 %{HTTP_HOST}

		# Require all denied
		# Require ip 192.168.0.222
	</Location>
</VirtualHost>

Generate a self-signed certificate with the following command:
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 3650 -sha256 -nodes

Step 2 - Faking the host


There are 2 ways to do that:
1. Modify the host table
2. Use a custom DNS masquerade ( i.e., host a custom DNS )

For the sake of simplicity, let's just edit the host table instead.

# host table config

github.com 192.168.0.139

Do the following steps:
 -> Flush your DNS
 -> Open firefox
 -> Go to history Ctrl + h
 -> Search github.com
 -> Right click -> Forget about this site
 -> Goto about:config, add this to the registry test.currentTimeOffsetSeconds: 11491200
 -> Restart firefox
 -> Visit github.com, add that cert you've just generated to exception

Done!

Why'd I do this?

You must have your reason to do so right? For me it is that I have a plugin that injects a customized script & styles to every website I visit ( which is a set of tools I use regularly, such as VimArea ).

Because github has a very strict policy. I think I'll just bypass all of that because I could.
Tag(s): github HSTS CSP
Profile picture
斟酌 鵬兄
Fri Mar 03 2017 02:20:42 GMT+0000 (Coordinated Universal Time)
Last modified: Fri Jan 26 2018 03:28:02 GMT+0000 (Coordinated Universal Time)
Comments
No comments here.
Do you even comment?
website: 
Not a valid website
Invalid email format
Please enter your email
*Name: 
Please enter a name
Submit
抱歉,Google Recaptcha 服務被牆掉了,所以不能回覆了