There’s a special kind of irritation that only web developers know: you hit F5 in Visual Studio expecting a friendly little http://localhost:12345, and instead your browser lunges straight into HTTPS like it’s late for a security audit. Suddenly you’re staring at a certificate warning, your cookies don’t match, and your dev environment feels like it’s cosplaying as production.
The culprit is almost always the same—a well-intentioned rewrite rule that does exactly what you told it to do, not what you meant for it to do.
If you’ve ever wondered why your local site keeps force-redirecting to HTTPS even though you never asked for it, this post walks through the exact reason, the fix, and the cleanest way to keep production locked down without making development annoying.