type "thisisunsafe" ergens in de browser window.
----------------------------------------------------------------------------------------------
Click anywhere in chrome window and type thisisunsafe (instead of badidea previously) in chrome.
This passphrase may change in future. This is the source
According to that line, type window.atob('dGhpc2lzdW5zYWZl') to your browser console and it will give you the actual passphrase.
This time the passphrase is thisisunsafe.
CTRL-SHIFT-J for console
--------------------------------------------------------------------------------------------
https://www.thesslstore.com/blog/clear-hsts-settings-chrome-firefox/
of
I believe this is caused by HSTS - see http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
If you have (developed) any other localhost sites which send a HSTS header...
eg. Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
...then depending on the value of max-age, future requests to localhost will be required to be served over HTTPS.
To get around this, I did the following.
- In the Chrome address bar type "chrome://net-internals/#hsts"
- At the very bottom of a page is QUERY domain textbox - verify that localhost is known to the browser. If it says "Not found" then this is not the answer you are looking for.
- If it is, DELETE the localhost domain using the textbox above
- Your site should now work using plain old HTTP
This is not a permanent solution, but will at least get it working between projects. If anyone knows how to permanently exclude localhost from the HSTS list please let me know :)
UPDATE - November 2017
Chrome has recently moved this setting to sit under Delete domain security policies
UPDATE - December 2017 If you are using .dev domain see other answers below as Chrome (and others) force HTTPS via preloaded HSTS.