Google Chrome redirecting localhost to https

I believe this is caused by HSTS - see http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security

If you have (developed) any other localhost sites which send a HSTS header...

eg. Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

...then depending on the value of max-age, future requests to localhost will be required to be served over HTTPS.

To get around this, I did the following.

  • In the Chrome address bar type "chrome://net-internals/#hsts"
  • At the very bottom of a page is QUERY domain textbox - verify that localhost is known to the browser. If it says "Not found" then this is not the answer you are looking for.
  • If it is, DELETE the localhost domain using the textbox above
  • Your site should now work using plain old HTTP

This is not a permanent solution, but will at least get it working between projects. If anyone knows how to permanently exclude localhost from the HSTS list please let me know :)

UPDATE - November 2017

Chrome has recently moved this setting to sit under Delete domain security policies

enter image description here

UPDATE - December 2017 If you are using .dev domain see other answers below as Chrome (and others) force HTTPS via preloaded HSTS.


I experienced the same problem in Chrome and I tried unsuccessfully to use BigJump's solution.

I fixed my problem by forcing a hard refresh, as shown in this blog (originally from this SuperUser answer).

Ensure your address bar is using the http scheme and then go through these steps, possibly a couple of times:

  1. Open the Developer Tools panel (CTRL+SHIFT+I)
  2. Click and hold the reload icon / Right click the reload icon.
  3. A menu will open.
  4. Choose the 3rd option from this menu ("Empty Cache and Hard Reload")

NEW DEVELOPMENTS! (if you have Chrome 63+)

If your localhost domain is .dev then I don't think the previously accepted answer works. The reason why is because since Chrome 63, Chrome will force .dev domains to HTTPS via preloaded HSTS.

What this means is, .dev basically won't work at all anymore unless you have proper signed SSL certificate -- no more self signed certificates allowed! Learn more at this blog post.

So to fix this issue now and to avoid this happening again in the future .test is one recommended domain because it is reserved by IETF for testing / dev purposes. You should also be able to use .localhost for local dev.


Piggybacking off Adiyat Mubarak

Could not hard refresh as it was just refreshing on https. Follows some of the same steps.

1. Open chrome developer tools (ctrl + shift + i)
2. Network Tab at the top
3. Click Disable cache checkbox at the top (right under network tab for me).
4. Refresh page (while the developer tools is still open)

I am facing the same problem but only in Chrome Canary and searching a solution I've found this post.

one of the next versions of Chrome is going to force all domains ending on .dev (and .foo) to be redirected to HTTPs via a preloaded HTTP Strict Transport Security (HSTS) header.

{ "name": "dev", "include_subdomains": true, "mode": "force-https" },
{ "name": "foo", "include_subdomains": true, "mode": "force-https" },

So, change your domains.