← Lessons

quiz vs the machine

Gold1350

Frontend

The Secure Context Requirement

Learn why powerful browser APIs only run on https or localhost to protect sensitive features.

4 min read · core · beat Gold to climb

What a secure context is

A secure context is a page the browser considers delivered safely, typically over https, or on localhost during development. The browser restricts powerful and sensitive APIs to secure contexts so that an attacker on the network cannot tamper with the code that uses them.

  • https origins count as secure contexts.
  • localhost is treated as secure for development.
  • Plain http pages are not secure contexts.

Why gate features

Features like service workers, geolocation, the clipboard, and notifications can leak data or persist code. If they ran over plain http, a network attacker could inject a malicious service worker that survives long after. Restricting them to secure contexts removes that whole class of tampering.

  • Service workers require a secure context to register.
  • Many device APIs check is secure context first.
  • Mixed content from http on an https page is blocked.

When a feature silently fails, checking whether the page is a secure context is often the first thing to verify.

Key idea

The browser limits powerful APIs to secure contexts such as https or localhost so network attackers cannot tamper with sensitive features.

Check yourself

Answer to earn rating on the learn ladder.

1. Which page counts as a secure context?

2. Why are service workers limited to secure contexts?