I resolved this issue by configuring the the HSTS header as follows:

@Configuration
@EnableWebSecurity
public class SecurityConfigurer extends WebSecurityConfigurerAdapter {
    ...
    @Override
    protected void configure(HttpSecurity http) throws Exception {
    ...
          http.headers().httpStrictTransportSecurity()
              .maxAgeInSeconds(0)
              .includeSubDomains(true);
    }
}

Disabling HSTS did not work for me.

If you don’t have HTTPS set up then the HSTS value should never be read - browsers must ignore HSTS sent over an unencrypted HTTP connection.

If you once did have HTTPS but now no longer do (or if you have HTTPS on some of your domains/pages), then your browser may have cached the HSTS setting for whatever max-age value was set when the browser last read the header. You would need to clear this in your browser. How to do this varies from browser to browser, but one of the easier ways that works in all browsers is to publish a new HSTS header with a max-age of 0 like you have done and then visit a page over HTTPS (not over unencrypted HTTP). This obviously requires you to have a HTTPS setup which you say you do not have? After all your browsers all have got the new setting for all affected domains, you can then stop publishing that HSTS header completely.

Skipping the reset step and just turning off the header when the browser has a previous version cached will not work - at least until the browser’s cached version expires after the max-age time.