2.0.1 • Public • Published

npm License

Do SSL HTTPS requests on Localhost using a domain and SSL certificates pointing to your local environment.

https://<any subdomain> → https://localhost/

Any subdomain of * points to localhost!

Exception:, which points to a page where you can download the certificates.

Why ? solves mixed-content issues when developing a WebApp or Backend on local environement while accessing ressources on remote HTTPS sources.

The issue is often raised by the same-origin policy mechanism that restricts the loading of resources from another origin unless this can be allowed by sending correct Cross-Origin Resource Sharing (CORS) headers.

Which anyway will fall-back on the must-have "non-mixed-content" (No HTTP & HTTPS)

But making requests to HTTPS APIs from HTTP sites on localhost would not be possible without changing security options on your browser, which is why provides SSL certificates with a full loopback domain, to let anyone benefit from a signed certificate on localhost.

Where are the certificates?

Certificates are not bundled with the npm package, but downloaded and updated from at installation and runtime, or manually with To specify in which directory the certificates should be stored set the environement var BACKLOOP_DEV_CERTS_DIR.

If the certificates are outdated they are checked and updated at boot.



npm install [-g]

Add -g to use and globally.

Command line

(Don't forget to prefix commands with npx if not installed globally.)

Start a webserver serving the contents of a directory on<port>/: <path> [<port>]

Start a proxy on<port>/: <target host>[:<target port>] [<port>]

Manually update the certificates:

Certificate files

You can download the certificates files on for your own usage.

From a node app

ES6 Module

import httpsOptions from '';
import https from 'https';

https.createServer(httpsOptions, (req, res) => {
  res.end('hello world\n');


const https = require('https');
const httpsOptionsAsync = require('').httpsOptionsAsync;

httpsOptionsAsync(function (err, httpsOptions) {
  https.createServer(httpsOptions, (req, res) => {
    res.end('hello world\n');

Or with promises.

const https = require('https');
const httpsOptionsPromise = require('').httpsOptionsPromise;

(async () => {

  const httpsOptions = await httpsOptionsPromise();
  https.createServer(httpsOptions, (req, res) => {
    res.end('hello world\n');


The following is not recommended as it will crash your app if certificates are expired. Thus it will refresh them for your next boot ;).

const https = require('https');
const options = require('').httpsOptions();

https.createServer(options, (req, res) => {
  res.end('hello world\n');


const https = require('https');
const httpsOptionsAsync = require('').httpsOptionsAsync;
const express = require('express');
const app = express();

// ...your code...

httpsOptionsAsync(function (err, httpsOptions) {
  https.createServer(httpsOptions, app).listen(8443);


// consider  `await require('').httpsOptionsPromise()`
const backloopHttpsOptions = require('').httpsOptions();
backloopHttpsOptions.https = true; = '';

module.exports = {
  // ...your options...
  devServer: backloopHttpsOptions

Now vue-cli-service serve will be served on


File: vite.config.js

import { defineConfig } from 'vite';
import backloopHttpsOptions from '';
export default defineConfig({
  server: {
    port: 4443,
    host: '',
    https: backloopHttpsOptions
  // ... //

Now npm run dev will be served on


What if * DNS A and AAAA entries are not pointing to and ::1 but to another IP (malicious ones)? Then your HTTPS requests will not end-up on your machine, but on this malicious servers.

Even, if this is very unlikely to happend, you may want to be on the safe side by adding <what you need> in your /etc/hosts file. localhost ... 
::1 localhost ... 


npm run lint lints the code with Semi-Standard.

Pull requests are welcome.

The code to generate, publish and renew the certificates is here on github



Package Sidebar


npm i

Weekly Downloads






Unpacked Size

17.5 kB

Total Files


Last publish


  • perki