The problem: You type http://yourproject.test, hit enter, and Chrome silently rewrites it to https:// — then fails, because your local Apache server was never set up with an SSL certificate for that site.
Environment: Laragon on Windows 11, Chrome, any local project domain (most common with .dev, but can happen on any domain that once served an HTTPS redirect)
The Error
This site can't provide a secure connection
yourproject.test sent an invalid response.
ERR_SSL_PROTOCOL_ERROR
Or sometimes just an endless redirect loop between http:// and https:// versions of the same local URL, with the address bar showing https:// even though you typed http://.
Why It Happens
This isn't a Laragon bug — it's Chrome's own security feature, called HSTS (HTTP Strict Transport Security), working exactly as designed but catching you off guard locally.
HSTS tells the browser: "always load this domain over HTTPS, never HTTP, even if the user types http:// or clicks an http:// link." A domain ends up on this list two ways:
- The domain sent an HSTS header at some point. If the project was ever deployed live with HTTPS and an HSTS header, or if you once accidentally proxied it through something with SSL, Chrome remembers this — per domain — and keeps enforcing it, even on localhost.
- The TLD itself is HSTS-preloaded. This is the one that surprises people the most:
.devis permanently baked into Chrome's HSTS preload list by Google — every single.devdomain, including ones on your own machine that Google has never seen, is forced to HTTPS. This can't be undone per-site because it's compiled into the browser itself, not something your server ever set.
The Fix
If your domain isn't .dev (e.g. Laragon's default .test, or .local), you can clear the cached HSTS policy directly in Chrome:
- Go to
chrome://net-internals/#hsts - Scroll to the "Delete domain security policies" section
- Type your exact domain (e.g.
yourproject.test) and click Delete - Close and reopen the tab, try
http://again
If your domain ends in .dev, this won't work — the preload is hardcoded in Chrome and can't be deleted per-site. Your only real fix is to stop using .dev for local projects entirely. In Laragon: right-click tray icon → Preferences → change the default TLD from dev to test (Laragon's actual default, and safe — .test is officially reserved by IETF for exactly this purpose and will never be HSTS-preloaded).
Step-by-Step
- Check which TLD your project is using — open Laragon, check the site's domain in the "www" tab.
- If it's
.devor.app, switch Laragon's default TLD to.testvia Preferences, then rename the project folder if needed to trigger Laragon's auto virtual host regeneration. - If it's already
.test(or similar) but still forcing HTTPS, clear it viachrome://net-internals/#hstsas shown above. - Restart Apache in Laragon after any config change.
- Hard refresh the browser tab (Ctrl+Shift+R) to bypass any cached redirect.
This HSTS caching is per-browser, not per-project — so even after fixing it, Firefox or Edge might still redirect if you've opened the same local project there before. Repeat the fix per-browser if you test across multiple browsers locally.
Still stuck with a different SSL-related localhost error? Post the exact message on the Contact page.