What is the use of https in local host? Do I really need to enforce it in local server even tho I'll add ssl cert after it gets deployed anyway! For example an express server in localhost .Does it need ssl in local server?

Yes, get your local environment as close to production as possible, helps you catch stupid https bugs. Also, you won't need differing dev/prod config other than the certs

For local, no, but i stand by the fact Dev/local and prod should be as close of a replica as possible.

For staging / prod, yes.

@alexbrooklyn shit that makes sense . Why did I not think about it that way lol !

localhost could be pointing to a remote server (e.g. if looked up over DNS with a man in the middle).

While absolutely unlikely and nearly irrelevant (as localhost is in your hosts file), but this scenario is listed as a vulnerability for the original SSH (not OpenSSH): https://kb.cert.org/vuls/id/...

The fun thing is: You should do migration testing in a localhost environment.

My workstation has - thanks to Gentoo and bleeding edge - more than once catched a fuckity before it was _too late_.

And especially in cryptography it can - eg regarding ciphers - be a decisive factor to realize at an early stage that you'll need to get the weed whacker...

You deploy in localhost, you'll fire up the engines and suddenly all phasers gone to fail - the HTTP library is so old that it rejects the newer ciphers...

Or a certain library has under certain conditions done the wrong thing...

And after OpenSSL upgrade suddenly the library presents you the big middle finger and justs terminates.

Cryptography libraries and their implementation can be very fuckity. And when you need to replace cert chains it's usually a nightmare.

Not because it's hard, but because an oversight can lead to full blackout. :/

Also necessary if you work with Web Workers, you can't deploy them without having HTTPS enabled

Is there a quick and easy way to get one on your local machine (apache)? With web hosts you send a mail and it's done, but all I seem to find about getting a fake one locally involves many steps I don't understand. Fucked up my WAMP twice now.

For things like oauth/openid connect you need it. For preventing mixed protol and for detecting problems (like mixed protol). As @alexbrooklyn says keep it as close to prod as possible.