tl;dr: Chrome 63 (out since December 2017), will force all domains ending on .dev (and .foo) to be redirected to HTTPS via a preloaded HTTP Strict Transport Security (HSTS) header.
Update 07/02/2018: Firefox now also forces .DEV domains to HTTPS.
Wait, there’s a legit .dev gTLD?
Yes, unfortunately.
It’s been bought by Google as one of their 100+ new gTLDs. What do they use it for? No clue. But it’s going to cause a fair bit of confusion and pain to web developers.
The .dev gTLD has nameservers and is basically like any other TLD out there, we as developers just happen to have chosen that name as a good placeholder for local development, too, overwriting the public DNS.
$ dig +trace dev. NS dev. 172800 IN NS ns-tld4.charlestonroadregistry.com. dev. 172800 IN NS ns-tld5.charlestonroadregistry.com. dev. 172800 IN NS ns-tld3.charlestonroadregistry.com. dev. 172800 IN NS ns-tld2.charlestonroadregistry.com. dev. 172800 IN NS ns-tld1.charlestonroadregistry.com.
Google publishes some of their domains on there, too;
$ dig +trace google.dev A google.dev. 3600 IN A 127.0.53.53
So yes, it’s a legit TLD.
Consequences of redirecting .dev to HTTPS
A lot of (web) developers use a local .dev TLD for their own development. Either by adding records to their /etc/hosts
file or by using a system like Laravel Valet, which runs a dnsmasq
service on your system to translate *.dev to 127.0.0.1.
In those cases, if you browse to http://site.dev
, you’ll be redirect to https://site.dev
, the HTTPS variant.
That means your local development machine needs to;
- Be able to serve HTTPs
- Have self-signed certificates in place to handle that
- Have that self-signed certificate added to your local trust store (you can’t dismiss self-signed certificates with HSTS, they need to be ‘trusted’ by your computer)
Such fun.
What should we do?
With .dev being an official gTLD, we’re most likely better of changing our preferred local development suffix from .dev to something else.
If you’re looking for a quick “search and replace” alternative for existing setups, consider the .test
gTLD, which is a reserved name by IETF for testing (or development) purposes.
There’s also an excellent proposal to add the .localhost domain as a new standard, which would be more appropriate here. It would mean we no longer have site.dev
, but site.localhost
. And everything at *.localhost
would automatically translate to 127.0.0.1, without /etc/hosts
or dnsmasq
workarounds.
I do hope the Chromium team reconsiders the preloaded HSTS as it’s going to have rather big implications for local web development.