Issue
All requests to my .app
and/or .dev
domains on my app are being inexplicably redirected to using SSL without any such configuration in my app or DNS settings.
Resolution
All domains with the .app
and .dev
TLD come with the HSTS (HTTP Strict Transport Security) protocol preloaded at the DNS layer. This technology allows enforcement of the HTTPS protocol for all requests made to this domain before it even hits the underlying app. This means that without a valid SSL certificate, it is not possible for visitors to even reach your app.
Since there is no way to remove this requirement for these domains, a valid SSL certificate must be in place on your app for it to be accessible via domains with either of these TLDs.
You can find a thorough explanation regarding this here. Furthermore, if you would like to confirm that your domain has HSTS preloaded, you can use this tool to do so.