If you don't care about HTTPS on localhost but still want a fully qualified domain name you can simplify this approach even further.

Let's say you have an app running on localhost:8000 on your dev box.

If you goto lvh.me:8000, it will work without having to install or modify anything on your dev box or modify your DNS records for another domain. If your app had an "example" subdomain you could even goto example.lvh.me:8000.

I wrote about lvh and other useful free services that help developing apps without needing to install a DNS server or mess with SSL certificates at https://nickjanetakis.com/blog/ngrok-lvhme-nipio-a-trilogy-f....

Regarding lvh, see also:

    localho.st

> resolve to 127.0.0.1

I wish people would stop using my IP address!

You can also use 127.0.0.1.xip.io for that with no modifications to hosts.

Yes, this is what I do. In fact, I have *.localhost.example.com resolve to 127.0.0.1 in DNS. "localhost" may be a special case in browsers.

I'm wondering if anyone would be aware of any issues if the private keys where exposed? I'm going to assume if one can MITM my localhost, it's already game over.

I was wondering the same thing, but the only realistic attack I can think of is if you happen to make localhost.example.com resolve to example.com and don't check the host name server side. And then the end user needs to not look too closely at the address bar.

So perhaps not do this if your domain is large_bank.com. But if you are aware the keys are exposed you could simply change your DNS to make it resolve somewhere else.

Of course, another option is to use localhost.junk_domain.com for testing so it doesn't matter if you lose the keys.

ppl tend to forget the good ol trusty hosts file :) thx for noting it. seems to be the practical solution really..

What about 127.0.1.0? Loopback is a subnet, not a specific address from it.

I love this simple solution.