loading...

Security on localhost?

patarapolw profile image Pacharapol Withayasakpunt ・1 min read

What do you think about,

  • Disabling CORS? (Actually, can non-CORS, like proxy, be faked by malicious local apps?)
  • HTTPS? Other protocols with SSL?
  • Coffee shops (Public network) vs Trusted / Private?
  • Exposing to 0.0.0.0, especially for mobile testing? (Don't know if there is better way.)

Discussion

markdown guide
 

I don't worry about security on localhost because I block all inbound traffic with a firewall. I disable CORS and don't use HTTPS. Mobile development is done via emulators on localhost.

 

Most of the time, you dont really have to do any of these things if you run a simple reverse proxy locally (on port 80 or some other port) and configure it to route traffic elsewhere. You can get really fancy with the routing, but generally the routing is based on 1 of 3 things:

  • path
  • subdomain
  • header(s)

Essentially this is what API gateway's do (and some more), but the core of it is routing, which is typically called reverse proxy. There's a million of these tools out there now. Some are very simple, some are very complex.

The way this avoids CORS issues, is because you always hit your reverse proxy URL (eg., localhost:80 or [your_machine_name]:80), so you stay on your domain always. Zero crossing of domains or ports or protocols, as all traffic from your browser/device goes through this reverse proxy.

 

what Kianoosh said. i have used this for aeons.. en.wikipedia.org/wiki/Squid_(softw...
Remember all debuggers and localhost testing require you access a port usually. always run a firewall and a VPN with rotating certs ? leases.