Quiz Entry - updated: 2026.07.05
Why does the Geolocation API require HTTPS?
Because location is sensitive personal data that could be intercepted over plain HTTP, browsers only expose geolocation on secure origins — HTTPS, or localhost for development.
Secure origins:
https://example.com(HTTPS)http://localhost(exception for development)http://127.0.0.1(exception for development)
Why this matters:
- Location reveals where you are, where you live, where you work
- HTTP traffic can be intercepted (man-in-the-middle)
- Attackers could track user movements
If you try on HTTP:
navigator.geolocation.getCurrentPosition(success, error);
// Error: "Only secure origins are allowed"
Other APIs with same requirement: Camera, microphone, push notifications, service workers.
Go deeper:
MDN — Secure contexts — the general mechanism behind the HTTPS-only rule, why localhost is exempt, and the
window.isSecureContextcheck.