Google Chrome redirecting localhost to https

When I debug a Visual Studio project using Chrome the browser tries to redirect to the https equivalent of my web address. I do not have SSL enabled in the web project and the start URL is the http URL. When I debug using FireFox or IE I do not have this problem.

I did re-install Chrome which fixed the problem for a day. Without downloading any addons the problem happened again the next day.

What is making Chrome redirect localhost to https?

Network Inspect Shows: Request URL:data:text/html,chromewebdata Request Headers Provisional headers are shown User-Agent:Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36

No preview and no response data in those tabs.

I believe this is caused by HSTS - see http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security

If you have (developed) any other localhost sites which send a HSTS header ...

> e.g. Strict-Transport-Security: max-age=31536000; includeSubDomains; > preload

... then depending on the value of max-age, future requests to localhost will be required to be served over HTTPS.

To get around this, I did the following.

• In the Chrome address bar type the following: > chrome://net-internals/#hsts
• At the very bottom of a page there is QUERY domain textbox - verify that localhost is known to the browser. If it says "Not found" then this is not the answer you are looking for.
• If it is, DELETE the localhost domain using the textbox above
• Your site should now work using plain old HTTP

This is not a permanent solution, but will at least get it working between projects. If anyone knows how to permanently exclude localhost from the HSTS list please let me know :)

---

UPDATE - November 2017

Chrome has recently moved this setting to sit under the section
> Delete domain security policies

---

UPDATE - December 2017

If you are using .dev domain see other answers below as Chrome (and others) force HTTPS via preloaded HSTS.

I experienced the same problem in Chrome and I tried unsuccessfully to use BigJump's solution.

I fixed my problem by forcing a hard refresh, as shown in this blog (originally from this SuperUser answer).

Ensure your address bar is using the http scheme and then go through these steps, possibly a couple of times:

1. Open the Developer Tools panel (CTRL+SHIFT+I)
2. Click and hold the reload icon / Right click the reload icon.
3. A menu will open.
4. Choose the 3rd option from this menu ("Empty Cache and Hard Reload")

NEW DEVELOPMENTS! (if you have Chrome 63+)

If your localhost domain is .dev then I don't think the previously accepted answer works. The reason why is because since Chrome 63, Chrome will force .dev domains to HTTPS via preloaded HSTS.

What this means is, .dev basically won't work at all anymore unless you have proper signed SSL certificate -- no more self signed certificates allowed! Learn more at this blog post.

So to fix this issue now and to avoid this happening again in the future .test is one recommended domain because it is reserved by IETF for testing / dev purposes. You should also be able to use .localhost for local dev.

Piggybacking off Adiyat Mubarak

Could not hard refresh as it was just refreshing on https. Follows some of the same steps.

1. Open chrome developer tools (ctrl + shift + i)
2. Network Tab at the top
3. Click Disable cache checkbox at the top (right under network tab for me).
4. Refresh page (while the developer tools is still open)

I am facing the same problem but only in Chrome Canary and searching a solution I've found this post.

> one of the next versions of Chrome is going to force all domains ending on .dev (and .foo) to be redirected to HTTPs via a preloaded HTTP Strict Transport Security (HSTS) header.

{ "name": "dev", "include_subdomains": true, "mode": "force-https" },
{ "name": "foo", "include_subdomains": true, "mode": "force-https" },

So, change your domains.

Go to

chrome://net-internals/#hsts 

Enter localhost under Delete domain security policies and press the Delete button.

Now go to

chrome://settings/clearBrowserData 

tick the box Cached images and files and press click the button Clear data.

Open Chrome Developer Tools -> go to Network -> select Disable Cache -> reload

Chrome 63 (out since December 2017), will force all domains ending on .dev (and .foo) to be redirected to HTTPS via a preloaded HTTP Strict Transport Security (HSTS) header. You can find more information about this here.

I also have been struggling with this issue. Seems that HSTS is intended for only domain names. So if you are developing in local machine, it much easier to use IP address. So I switched from localhost to 127.0.0.1

from https://galaxyinternet.us/google-chrome-redirects-localhost-to-https-fix/

None of the option fixes worked for me, for fixing https://localhost:3000, this did.

click and hold Reload Button and select Empty Cache and Hard Reload, this seems to only be an option on localhost

A lazy and fast solution for lazy people like me (working in Chrome 67).

Just launch another Chrome window in Stealth Mode, with the "Incognito Window" option (CTRL + SHIFT + N). No need to delete cache, no need to dive into deep Chrome settings, etc.

How I solved this problem with chrome 79:

Just paste this url in you search input chrome://flags/#allow-insecure-localhost

It helped me by using experimental features.

I never figured out the root of the problem however I was able to fix this problem. I deleted the Google Chrome app cache folder which solved the problem.

C:\Users[users]\AppData\Local\Google\Chrome

This can be caused by a cached https redirect, and can be fixed by clearing the cache manually as in Adiyat Mubarak's answer.

But if you are visiting localhost you likely are a developer, in which case you will find a cache clearing chrome extension such as "classic cache killer" (see e.g. https://chrome.google.com/webstore/search/classic%20cache%20killer?hl=en) useful in a variety of situations, and likely already have one installed.

So the quick fix is: Install a cache killer (if you don't have one already), turn it on, and reload the page. Done!

None of these worked for me. It started happening after a chrome update (Version 63.0.3239.84, linux) with a local URL. Would always redirect to https no matter what. Lost some hours and a lot of patience on this

What did worked after all was just changing the domain.

For what is worth, the domain was .app. Perhaps it got something to do? And just changed it to .test and chrome stopped redirecting it

Unfortunately, none of the solution listed here helped me to resolve this issue. I fixed this issue by using http://127.0.0.1 (ip address) instead of http://localhost. A quick little hack to work with angular development with chrome browser.

A simple solution to this is to edit your /etc/hosts file and establish one alias per project.

127.0.0.1	project1 project2 project3

These domainless names will never have the problem with HSTS unless you send the HSTS response mentioned by @bigjump and with the added benefit of maintaining your login session if you change back and forth between projects.

Tried everything mentioned (browser preferences, hsts, etc.) but nothing worked for me.

I solved it by adding a trailing .localhost to the host aliases.

Like this:

127.0.0.1    myproject.localhost
127.0.0.1    dev.project.localhost

In my case, I had my project path set as /Users/me/dev/project_root/ and was running the nodeJS/express server from there. Renaming my path to /Users/me/project_root (removing dev from the path to project) resolved the issue.

Most likely has to do with this new regulation:

> Chrome 63 (out since December 2017), will force all domains ending on .dev (and .foo) to be redirected to HTTPS via a preloaded HTTP Strict Transport Security (HSTS) header.

You can find more information about this here.

Using:

• Google Chrome Version 70.0.3538.110 (Official Build) (64-bit)

• nodeJS v9.2.0

Go to

chrome://net-internals/#hsts 

Enter the domain under Delete domain security policies and press the Delete button.

Go to settings in Chrome and then to Advanced settings, under privacy and security section click Clear browsing data and then clear all data. I followed these steps and it worked for me. Hope it helps some one.

Chrome 63 forces .dev domains automatic to HTTPS via preloaded HSTS.
Quick fix: just change the .dev domains to .localhost.

This is not a solution, it's just a workaround.

1. Click on your visual studio project (top level) in the solution explorer and go to the properties window.

2. Change SSL Enabled to true. You will now see another port number as 'SSL URL' in the properties window.

3. Now, when you run your application (or view in browser), you have to manually change the port number to the SSL port number in the address bar.

Now it works fine as a SSL link

The issue could be replicated in VS 2019 also. This is caused due to "Enable Javascript debugging from Visual Studio IDE". The VS attaches to Chrome and it is a possibility that due to security or reasons known to Google and Microsoft, it sometimes fails to attach and you have this issue. I am able to run http and https with localhost from ASP net core 3.1 app. So while debugging in VS, go to the run with arrow -> IIS express, just below "Web Browser(Chrome)" select "Script Debugging (Disabled)".

See article: https://devblogs.microsoft.com/aspnet/client-side-debugging-of-asp-net-projects-in-google-chrome/

https://docs.microsoft.com/en-us/visualstudio/debugger/debugging-web-applications?view=vs-2019

Always fallback to Microsoft docs to get more clarity than googling an issue.

For me, the following worked in Chrome 90. My app opened up a local webpack server on localhost:3000 which automatically redirected to HTTPS, and I got ERR_SSL_PROTOCOL_ERROR.

I clicked on the little info icon next to the URL, opened up the Site Settings from the menu dropdown. In the list, the Insecure content was set to Block (default).

I changed this to Allow, and just reloaded the http version and it loaded fine.

Hope this will help people out.

I could not get any solution to work; but a redirect in my web.config allowed me to continue to work (localhost) until I find what is causing the issue.

This is essentially a rewrite rule that turns HTTPS to HTTP; it seems to have overwritten the previous rule that redirected HTTP to HTTPS.

It needs to be within your section in web.config

    <rewrite>
  <rules>
    <clear />
    <rule name="Redirect to https" stopProcessing="true">
      <match url=".*" />
      <conditions>
        <add input="{HTTP}" pattern="off" ignoreCase="true" />
      </conditions>
      <action type="Redirect" url="http://{HTTP_HOST}{REQUEST_URI}" redirectType="Permanent" appendQueryString="false" />
    </rule>
  </rules>
</rewrite>

In my case I was using browser-sync on a Mac and the browser kept redirecting http://localhost:3000 to https://localhost:3000.

I am using Valet to serve local sites, and I had run valet secure on the local *.test domain to give it a SSL cert. Because I was proxying this HTTPS domain in browser-sync, the browser was loading localhost:3000 with HTTPS.

To fix it I had to:

1. run valet unsecure to remove the SSL cert
2. run valet restart
3. restart browser-sync
4. open localhost:3000 in the browser (Vivaldi in my case which is a Chromium browser)
5. Open Developer Tools
6. Tick "Disable Cache" on the Network tab
7. Refresh the page

Turns out this error message was sending me down a rabbit hole.

The problem for me was that the page I was trying to load on http was failing to return a response (due to a bug in my code that was crashing the server).

Chrome was automatically trying https automatically as a backup so, instead of seeing the actual error (page timed out), I was seeing the SSL error which was a red herring.

Fixing the underlying server crash & navigating back to http://localhost:5000 fixed my problem.

For anyone running a Node.js express server on localhost like me, I have this piece of code that redirects http to https:

const server = express() 
  .use((req, res, next) => {
    if (req.headers['x-forwarded-proto'] != 'https') {
      res.redirect('https://' + req.headers.host + req.url)
    } else {
      next()
    }
  })

You have to make sure it doesn't redirect localhost:

const server = express() 
  .use((req, res, next) => {
    if (req.headers['x-forwarded-proto'] != 'https' && req.headers['host'].indexOf("localhost") == -1) {
      res.redirect('https://' + req.headers.host + req.url)
    } else {
      next()
    }
  })

For someone who had the same problem I solved by pressing CTRL + SHIFT + DELETE to delete just the entire browser cache. Now I can access my localhost website on HTTP protocol.

@Adiyat Mubarak answer did not work for me. When I attempted to clear the cache and hard-reload, the page still redirected to https.

My solution: In the upper right-hand corner of the url bar (just to the left of the favorites star icon) there is an icon with an "x" through it. Right-click on that, and it will say something about "unsafe scripts", then there is an option to load them anyway. Do that.

Another option would be to use something like https://github.com/rchampourlier/tunnelss

Sure it added another dependency / setup, but it also enables testing of https in dev, which could be nice.

I use RVM however to get tunnelss working I had to use sudo gem install tunnelss and sudo tunnelss

That's the fastest solution today (17-3-2018):

Close all Chrome tabs / windows and run on your command line this: (or add it as a shortcode)

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --ignore-certificate-errors