I just spent several hours trying to find out why my virtual domains were redirecting to https on XAMPP when just last week everything was fine. I had experimented with doing a security certificate for my local development sites, so I thought maybe that had something to do with it. However, I backed out all my changes last week and so there shouldn’t have been any issues. I was searching everywhere with XAMPP thinking I had broken something.
After spending may too much time trying to look for a needle in a haystack, I decided to see if localhost would redirect. Unlike the virtual domain, localhost did NOT redirect. So now I knew the issue was with the virtual host and not within XAMPP.
Next, I opened up IE – found that the virtual host did NOT redirect to https there.  So I did a Google search on “chrome firefox redirect dev to https” and discovered that Google has bought the .dev gTDL (Generic Top Level Domain) and is now forcing all .dev traffic to HTTPS within their Chrome browser. Firefox seems to have followed suit with forcing the redirect. I’m not sure why I never had an issue with Chrome previously. It could be that my Chrome wasn’t updated until now since according to this it was just implemented in December 2017 with Chrome 63.
tl;dr: Chrome 63 (out since December 2017), will force all domains ending on .dev (and .foo) to be redirected to HTTPS via a preloaded HTTP Strict Transport Security (HSTS) header.
Solution
The solution is pretty basic, but just a pain in the ass to have to do this. The easiest thing I could find is to stop using .dev for local development sites. This seems to be what everyone is recommending.  People suggested using .test or .localhost instead, however I decided to go with my initials. I guess I will be in trouble if my initials become a gTDL and Google or someone else buys it.
You can find out more on how to set up Virtual Hosts on XAMPP at Setting a Local Virtual Domain with XAMPP. I am sure if you are having this problem you have already set up a virtual host. However, if you have NOT set up a virtual host yet, be aware of this issue now with using .dev domain.
Other Issues
Be aware – this only fixes the issue of the redirect. It does NOT fix the issue of having to go into website files in order to fix any hardcoded domains. For instance, in WordPress you will need to change the URL from .dev to whatever your new domain is you will use. You can see the process at Changing a WordPress Site from HTTP to HTTPS
Other Resources
This is a good read and my feelings as well concerning Google DICTATING the use of .dev (this article was written even BEFORE Google enforced the HTTPS for this domain) –Thanks a lot, Google, for snatching .dev for yourself. It’s not like the rest of us wanted it