Assuming your app/code isn’t doing any redirecting and you are not using any proxy (like Cloudflare) which is set to enforce https … are you using a .dev domain to access the app? Only if you take a look at https://get.dev/ you will see that HTTPS is required. Security is built in, as Google put it.
So … assuming that is the cause, I would think you could avoid it by using a custom domain (e.g www.example.com). Point that at the app using A/AAAA records. And since it is not a .dev domain, HTTPS is not enforced and you should not see any redirect.