https://www.thesslstore.com/blog/clear-hsts-settings-chrome-firefox/

http://classically.me/blogs/how-clear-hsts-settings-major-browsers/



Firefox:

An exception should work. In order to be able to try re-adding the exception using the Advanced button / Add Exception button approach, you need to first remove the stored HSTS flag.

Open your current Firefox settings (AKA Firefox profile) folder using either

  •  "3-bar" menu button > "?" button > Troubleshooting Information
  •  (menu bar) Help > Troubleshooting Information
  •  type or paste about:support in the address bar and press Enter

In the first table on the page, click the "Open Directory" (or similar) button. This should launch a new window listing various files and folders in your file browser.

Leaving that window open, switch back to Firefox and Exit/Quit, either:

  •  "3-bar" menu button > "power" button
  •  (menu bar) File > Exit / Quit

Pause while Firefox finishes its cleanup, then open SiteSecurityServiceState.txt in your preferred text editor and delete all lines for the hostname you need to access and save the file.

When you start Firefox again, on your first visit, Firefox normally ignores the HSTS status because it hasn't gotten past the handshake.


of


Chrome:

I believe this is caused by HSTS - see http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security

If you have (developed) any other localhost sites which send a HSTS header...

eg. Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

...then depending on the value of max-age, future requests to localhost will be required to be served over HTTPS.

To get around this, I did the following.

  • In the Chrome address bar type "chrome://net-internals/#hsts"
  • At the very bottom of a page is QUERY domain textbox - verify that localhost is known to the browser. If it says "Not found" then this is not the answer you are looking for.
  • If it is, DELETE the localhost domain using the textbox above
  • Your site should now work using plain old HTTP

This is not a permanent solution, but will at least get it working between projects. If anyone knows how to permanently exclude localhost from the HSTS list please let me know :)

UPDATE - November 2017

Chrome has recently moved this setting to sit under Delete domain security policies

enter image description here

UPDATE - December 2017 If you are using .dev domain see other answers below as Chrome (and others) force HTTPS via preloaded HSTS.