I believe this is caused by HSTS – see http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security

If you have (developed) any other localhost sites which send a HSTS header …

e.g. Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

… then depending on the value of max-age, future requests to localhost will be required to be served over HTTPS.

To get around this, I did the following.

• In the Chrome address bar type the following:
  

  chrome://net-internals/#hsts

• At the very bottom of a page there is QUERY domain textbox – verify that localhost is known to the browser. If it says “Not found” then this is not the answer you are looking for.
• If it is, DELETE the localhost domain using the textbox above
• Your site should now work using plain old HTTP

This is not a permanent solution, but will at least get it working between projects. If anyone knows how to permanently exclude localhost from the HSTS list please let me know 🙂

---

UPDATE – November 2017

Chrome has recently moved this setting to sit under the section

Delete domain security policies

---

UPDATE – December 2017

If you are using .dev domain see other answers below as Chrome (and others) force HTTPS via preloaded HSTS.