Why localhost is not recommended as an allowed callback or origin for production?

it is interfering with the development process in my company and was wondering what are the cons of opening localhost as an allowed url in production.

Hi @tal.auth

Just a couple of quick thoughts: you can hijack local host via /etc/hosts (or the equivalent) or by killing a listening process and putting your own there. That makes it insecure.


thnx for the response john. Not sure i understand what you are saying. changing locahost to point to the production url but where? at the user’s computer or at the deployment machine? i can think of maybe of the repository code leaking and somebody can deploy locally the same site and authentication will be successful. is that what you’re saying? Also what do you mean by killing a process and putting your own? in what machine?

Consider a callback URL: https://localhost:1234/callback?code=blah

Your app is running on localhost at port 1234.

Approach 1:
Attacker changes your /etc/hosts and does

This will then redirect the code not to but to 1234

Approach 2:
Attacker finds your app, kills it, and runs their own listening on port 1234

After some thinking, auth code flow requires a secure backend. localhost cannot be considered a secure backend (it is actually the same as the frontend). So that is why.


Hello John, for training purposes, I need to create an auth0 account and test changes on my local machine, therefore I need to give http://localhost instead of https. In this case how do I go about using my auth0 account because in Settings, it does not allow me to save callback url with http.
Thank You in advance.