Jul 172015

The Problem

I recently created a new ASP.NET Web Application project in Visual Studio. Upon launching it for debug in the Google Chrome browser, I was greeted with an SSL Connection Error screen from Chrome. I also noticed that the url was changed from “http:” to “https:” (https://localhost:49500/).

I looked at my project settings in Visual Studio under the Web tab and found that my Project Url was set to http://localhost:49500/, which indicated to me that the project should have been launched in as http, not https.

Project Settings with Http

There was no launching as http, and the fact that my browser was demanding that the site be secured was causing me to not be able to load and debug my project.

The Cause

I didn’t want my project launched as https and couldn’t understand why this was happening.  After consulting with an associate (thanks Tim!) I discovered that this problem was caused by a custom header setting in the Web.config file of an old project that I had debugged, coupled with the HTTP Strict Transport Security cache in my Chrome browser.

I had debugged another, existing ASP.NET project in the recent past that had this customHeader line in its Web.config file:

        <add name="Strict-Transport-Security" value="max-age=16070400; includeSubDomains" />

The “Strict-Transport-Security” customHeader line causes the server (in this case http://localhost) to add a line in the response header that a HSTS-capable browser (e.g. Google Chrome) reads.  The browser takes this as a sign that any further communication (within the given time) with this server should be done via HTTPS only.  Per the Chromium.org HSTS page:

When the browser sees this, it will remember, for the given number of seconds, that the current domain should only be contacted over HTTPS. In the future, if the user types http:// or omits the scheme, HTTPS is the default.

Since the project that I debugged had this header in its Web.config, I had told all HSTS-compatible browsers that I had used in debugging to always require http://localhost to default to https.  This was borne out by looking at the HSTS cache in chrome by going to this url in the Google Chrome browser:  chrome://net-internals/#hsts and querying for localhost:

hsts cache in Chrome

The query shows “localhost” as being in the list of domains in the HSTS set.

The Solution

After finding that I had cached the domain “localhost” as requiring HTTPS, the solution was as simple as deleting the domain from my cache.  In the Google Chrome browser, I navigated to chrome://net-internals/#hsts, typed “localhost” into the Delete domain text field, and hit Delete.  After doing so, I queried for “localhost” again and received a “Not found”

Localhost not found

Then, I re-launched my project from Visual Studio into Chrome and found that my ability to launch as HTTP had returned.

http load