The Curious Case of the Missing "Allow Insecure Localhost" Flag in Microsoft Edge

For web developers, the "allow-insecure-localhost" flag in Microsoft Edge was a handy tool. It allowed developers to bypass SSL certificate errors when working on local development environments. However, many developers noticed its disappearance in Edge version 88.0.705.50, causing some confusion and workflow disruptions. This article dives into the reasons behind its removal and provides several workarounds to allow insecure localhost connections.

Why Did the Flag Disappear?

Initially, the removal of the allow-insecure-localhost flag seemed unintentional. As reported by users on Stack Overflow, the flag reappeared in later versions of Microsoft Edge, specifically version 89.0.767.0. This suggested that the flag's absence in version 88 was a temporary glitch.

However, the long-term fate of this flag was sealed by a decision made in the Chromium project, the open-source project that powers Microsoft Edge. The expiration version for the flag was modified, meaning that after a certain version (M130) of Chromium, the flag would be permanently removed.

Workarounds for Allowing Insecure Localhost

While the direct flag is no longer a permanent solution, several workarounds exist to enable insecure localhost connections in Microsoft Edge:

• Using the "Temporarily Unexpire Flags" Feature (Versions 119-133):

  • Navigate to edge://flags.
  • Search for "Temporarily unexpire M130 flags" (or "M118" for Edge v119-120).
  • Enable the flag.
  • Restart the browser.
  • Search for #allow-insecure-localhost again.
  • Enable it.

• Edge Policies (Version 133 and Later):

  • As of February 2025 and Edge version 133, the "Temporarily unexpire flags" method no longer works.
  • The recommended approach is to modify Edge's policies using the SSLErrorOverrideAllowedForOrigins or SSLErrorOverrideAllowed policies.
  • These policies can be set in Intune or directly in the registry.
  • Setting SSLErrorOverrideAllowedForOrigins to ["https://localhost"] specifically allows insecure connections for localhost. Refer to Microsoft Edge Policies for more information.

Alternatives to Insecure Connections

While these workarounds are helpful, it's essential to consider that allowing insecure connections poses security risks. Here are some safer alternatives:

• Using a Self-Signed Certificate: Generate a self-signed certificate for your localhost and configure your development server to use it. While the browser will initially warn you about the certificate, you can usually add an exception to trust it.
• Using a Locally Trusted Certificate Authority (CA): Create your own CA and use it to sign certificates for your local development. This approach requires more setup but provides a higher level of trust.
• Using a Development Certificate from a Trusted CA: Some CAs offer free or low-cost development certificates that are trusted by browsers.

The Importance of Secure Development

While the allow-insecure-localhost flag provided a convenient shortcut, its removal highlights the importance of secure development practices, even in local environments. By using self-signed certificates or other secure alternatives, developers can ensure that their applications are secure from the start. Consider exploring options like mkcert to simplify the process of creating locally trusted development certificates.