I'm working on a project on my local site, but I'm facing issues while testing in Brave due to a self-signed certificate. This setup causes my site to show as HTTPS but still marked as not secure, which is preventing me from using webauthn features.
I've tried adding the certificate to the Windows Trusted Root Certs, and I also added it in Brave's "Trusted Certificates" section. I enabled the flag for treating insecure origins as secure with my local URL https://testsite.com:3000, but I keep getting warnings about unsupported command-line flags and potential security issues. Despite all this, the site is still showing as insecure and webauthn isn't functioning properly. Can anyone offer some advice on how to resolve this?
5 Answers
Instead of dealing with those Brave flags, I recommend using mkcert. It sets up a local Certificate Authority and installs everything so that Brave will trust it right out of the box. Just run mkcert -install and then mkcert testsite.com. Make sure your server is configured with the cert and key it generates. Just remember that WebAuthn is picky about exact matches on protocol, domain, and port, so everything has to line up perfectly! That command-line flag isn't going to help with cert trust issues anyway. It's better to get the setup right in the first place!
Funny enough, in Edge and Brave's incognito mode it seems to handle the certs just fine, but standard mode throws errors. I guess it might be plugins messing things up?
A solid option is to use nginx with Let's Encrypt for your testing. If you're looking for HTTPS locally, you might want to check out ngrok to set things up easily.
Have you checked out Let's Encrypt? They're typically great for securing sites, but I'm not sure how they handle local dev servers.
You might find running your environment within Docker helpful. Set up a Caddy container to handle HTTP on port 80, and it can act as a reverse proxy while offering free SSL certificates. Caddy is super easy to set up and will automatically renew your certificates too!
Also, if you're testing in Firefox, you'll need to install NSS before running mkcert to make it work properly.