Fixed: Chrome Forces HTTPS on Localhost (ERR_SSL_PROTOCOL_ERROR in Laragon)

The problem: You type http://yourproject.test, hit enter, and Chrome silently rewrites it to https:// — then fails, because your local Apache server was never set up with an SSL certificate for that site.

Environment: Laragon on Windows 11, Chrome, any local project domain (most common with .dev, but can happen on any domain that once served an HTTPS redirect)

The Error

This site can't provide a secure connection
yourproject.test sent an invalid response.
ERR_SSL_PROTOCOL_ERROR

Or sometimes just an endless redirect loop between http:// and https:// versions of the same local URL, with the address bar showing https:// even though you typed http://.

Why It Happens

This isn't a Laragon bug — it's Chrome's own security feature, called HSTS (HTTP Strict Transport Security), working exactly as designed but catching you off guard locally.

HSTS tells the browser: "always load this domain over HTTPS, never HTTP, even if the user types http:// or clicks an http:// link." A domain ends up on this list two ways:

  • The domain sent an HSTS header at some point. If the project was ever deployed live with HTTPS and an HSTS header, or if you once accidentally proxied it through something with SSL, Chrome remembers this — per domain — and keeps enforcing it, even on localhost.
  • The TLD itself is HSTS-preloaded. This is the one that surprises people the most: .dev is permanently baked into Chrome's HSTS preload list by Google — every single .dev domain, including ones on your own machine that Google has never seen, is forced to HTTPS. This can't be undone per-site because it's compiled into the browser itself, not something your server ever set.

The Fix

If your domain isn't .dev (e.g. Laragon's default .test, or .local), you can clear the cached HSTS policy directly in Chrome:

  1. Go to chrome://net-internals/#hsts
  2. Scroll to the "Delete domain security policies" section
  3. Type your exact domain (e.g. yourproject.test) and click Delete
  4. Close and reopen the tab, try http:// again

If your domain ends in .dev, this won't work — the preload is hardcoded in Chrome and can't be deleted per-site. Your only real fix is to stop using .dev for local projects entirely. In Laragon: right-click tray icon → Preferences → change the default TLD from dev to test (Laragon's actual default, and safe — .test is officially reserved by IETF for exactly this purpose and will never be HSTS-preloaded).

// TLD safety check
.test    → safe, IETF-reserved, never HSTS-preloaded
.localhost → safe, browser-reserved
.dev     → permanently HSTS-preloaded by Chrome, avoid for local dev
.app     → also HSTS-preloaded, avoid

Step-by-Step

  1. Check which TLD your project is using — open Laragon, check the site's domain in the "www" tab.
  2. If it's .dev or .app, switch Laragon's default TLD to .test via Preferences, then rename the project folder if needed to trigger Laragon's auto virtual host regeneration.
  3. If it's already .test (or similar) but still forcing HTTPS, clear it via chrome://net-internals/#hsts as shown above.
  4. Restart Apache in Laragon after any config change.
  5. Hard refresh the browser tab (Ctrl+Shift+R) to bypass any cached redirect.

This HSTS caching is per-browser, not per-project — so even after fixing it, Firefox or Edge might still redirect if you've opened the same local project there before. Repeat the fix per-browser if you test across multiple browsers locally.

Still stuck with a different SSL-related localhost error? Post the exact message on the Contact page.

Advertisement
Advertisement