I believe this is caused by HSTS – see http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
If you have (developed) any other localhost sites which send a HSTS header …
e.g.
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
… then depending on the value of max-age, future requests to localhost will be required to be served over HTTPS.
To get around this, I did the following.
- In the Chrome address bar type the following:
chrome://net-internals/#hsts - At the very bottom of a page there is QUERY domain textbox – verify that localhost is known to the browser. If it says “Not found” then this is not the answer you are looking for.
- If it is, DELETE the localhost domain using the textbox above
- Your site should now work using plain old HTTP
This is not a permanent solution, but will at least get it working between projects. If anyone knows how to permanently exclude localhost from the HSTS list please let me know 🙂
UPDATE – November 2017
Chrome has recently moved this setting to sit under the section
Delete domain security policies
UPDATE – December 2017
If you are using .dev domain see other answers below as Chrome (and others) force HTTPS via preloaded HSTS.