[sonaltr]

I'm almost 99% certain that everyone who's this concerned - already has a domain. (or they can get a free domain from something like .tk - as it really does not matter since this is for pure local development).

So I feel like the following workflow is simpler no?

1. Use something like local.mydomain.com as your local dev domain. (set the DNS in Cloudflare / Netlify etc. to 127.0.0.1)

2. Use Let's encrypt to generate certs for that domain.

Am I going about this the wrong way? (or is there something super insecure that I've missed?)

[stephenr]

For the cert part, LetsEncrypt specifically recommend against that: https://letsencrypt.org/docs/certificates-for-localhost/

For the dns part, I honestly think a hosts file entry is more flexible, as you can support environments using vms/containers etc with a guest that has a dhcp address.

[sonaltr]

The security issue comes in when you ship the private key - if you are following best practices - won't the private key be different for each domain / managed in a better way?

[stephenr]

So, now you're going to give each member of your team a way to authorise valid certificates for your domain? Great, I don't want to imagine what your HR/security vetting process will be after the first abuse of that power.

[sonaltr]

I had not thought about that...great points!

This is way simpler in that case!