Local agents can serve up content with proper domain names, which can resolve to anything, including 127.0.0.1. There’s exactly zero reason to use the insane setup of HTTPS + HSTS with localhost.
Plus, what’s the benefit of encrypting on a loopback connection? Who’s intercepting?
I'd be very annoyed if I were troubleshooting HTTPS/HSTS bugs and found out that certain headers were ignored because the target IP is localhost. It makes my life harder for no good reason other than to protect those who misconfigure their webserver from their own mistakes.
You have that backwards. Parent was stating internal domain names can resolve to 127 to enable HSTS. Specifically using "localhost" should be the exception, not the resolution of 127. you could shove securehost in /etc/hosts as 127.0.0.1 to turn on HSTS for example.
Plus, what’s the benefit of encrypting on a loopback connection? Who’s intercepting?