From f09cfecb132304adc3cc8bec7229474b3a72d69f Mon Sep 17 00:00:00 2001
From: Leendert de Borst <ldeborst@xivisoft.com>
Date: Fri, 5 Sep 2025 20:21:49 +0200
Subject: [PATCH] Add HTTP warning for non-localhost hostnames (#1181)

---
 apps/server/AliasVault.Client/Main/Layout/Footer.razor      | 6 +++++-
 .../AliasVault.Client/Resources/Layout/Footer.en.resx       | 2 +-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/apps/server/AliasVault.Client/Main/Layout/Footer.razor b/apps/server/AliasVault.Client/Main/Layout/Footer.razor
index a26688ffc..d535e624c 100644
--- a/apps/server/AliasVault.Client/Main/Layout/Footer.razor
+++ b/apps/server/AliasVault.Client/Main/Layout/Footer.razor
@@ -95,11 +95,15 @@
 
     /// <summary>
     /// Checks if the current URL is using HTTP and shows warning if needed.
+    /// Only shows warning for non-localhost hostnames since browsers allow crypto operations on localhost via HTTP.
     /// </summary>
     private void CheckHttpProtocol(object? sender, LocationChangedEventArgs? e)
     {
         var uri = new Uri(NavigationManager.Uri);
-        _isHttpWarning = !_httpWarningDismissed && uri.Scheme == "http";
+        var isLocalhost = uri.Host.Equals("localhost", StringComparison.OrdinalIgnoreCase) || 
+                         uri.Host.Equals("127.0.0.1", StringComparison.OrdinalIgnoreCase) ||
+                         uri.Host.Equals("::1", StringComparison.OrdinalIgnoreCase);
+        _isHttpWarning = !_httpWarningDismissed && uri.Scheme == "http" && !isLocalhost;
         StateHasChanged();
     }
 
diff --git a/apps/server/AliasVault.Client/Resources/Layout/Footer.en.resx b/apps/server/AliasVault.Client/Resources/Layout/Footer.en.resx
index 15dfbb1d4..7619df498 100644
--- a/apps/server/AliasVault.Client/Resources/Layout/Footer.en.resx
+++ b/apps/server/AliasVault.Client/Resources/Layout/Footer.en.resx
@@ -83,7 +83,7 @@
     <comment>Title for HTTPS warning banner</comment>
   </data>
   <data name="HttpsWarningMessage" xml:space="preserve">
-    <value>The AliasVault web app requires HTTPS for using browser crypto operations. Registering/logging in won't work over HTTP. Please switch to HTTPS and use a valid SSL certificate.</value>
+    <value>Browsers only allow secure crypto operations via HTTPS, except for localhost. Login/registration won't work over HTTP with the current hostname. Please switch to HTTPS.</value>
     <comment>Message explaining why HTTPS is required</comment>
   </data>
 </root>
\ No newline at end of file