Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Although this is true, it's also true that not all 'secure' functionality is enabled for localhost without HTTPS.

One such example is secure cookies.

There's a longer list here: https://web.dev/when-to-use-local-https/



The cookie one is the only semi-legit one. And it would be kind of weird that setting the https only flag wouldnt mean what it says.

Everything else on that list is you can't test https without https. How could you possibly test mixed content without using https? Http/2 is so tied to TLS that the insecure version that nobody has implemented isn't really the same thing. Etc


You’re right. But my point was just that although localhost is a secure origin, there are still differences between localhost and sites loaded over HTTPS.




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: