diff --git a/CHANGELOG.md b/CHANGELOG.md
index 61451b1..019eabc 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,9 @@
 # Change history for stripes-cli
 
+## 3.3.0 IN PROGRESS
+
+* Prune STS headers, permitting local non-SSL access via proxy. Refs STCLI-248.
+
 ## 3.2.0 IN PROGRESS
 
 * Add a proxy server to overcome issues with cookies SameSite policy. Refs STCLI-246.
diff --git a/lib/run-proxy.js b/lib/run-proxy.js
index 9478065..5b80abb 100644
--- a/lib/run-proxy.js
+++ b/lib/run-proxy.js
@@ -3,6 +3,7 @@ const { createProxyMiddleware } = require('http-proxy-middleware');
 
 const app = express();
 
+// [argv.okapi, argv.port, argv.proxyHost, argv.proxyPort]);
 const OKAPI = process.argv[2];
 const PORT = process.argv[3];
 const PROXY_HOST = process.argv[4];
@@ -15,8 +16,14 @@ app.use(
     changeOrigin: true,
     on: {
       proxyRes: (proxyRes) => {
+        // STCOM-247: overwrite any CORS headers in responses with those of
+        // the proxy, thus allowing access from any browser pointed at the proxy.
         proxyRes.headers['Access-Control-Allow-Origin'] = `${PROXY_HOST}:${PORT}`;
         proxyRes.headers['Access-Control-Allow-Credentials'] = 'true';
+
+        // STCOM-248: omit STS headers in responses, thus allowing non-ssl access,
+        // e.g. access via http://localhost:3000
+        delete proxyRes.headers['Strict-Transport-Security'];
       },
     },
   }),