Is loopback (127.0.0.1) safe from network?

Question

I am writing an application using Webview and a local server :

• The server part is written in Google Go (Golang).
• The client part is written in JavaScript and runs inside Webview.

It's like using Electron, except the communication between the frontend and the backend happens via HTTP on localhost.

My question is:

Since the app is in two parts which communicate via loopback (127.0.0.1), can the network listen to the packets of data transiting between the two parts of my app or is it 100% safe from network sniffing?

Is an app designed this way safe when the computer is plugged on the internet?

Answer 1

To answer the first part, packets to the loopback address do not traverse the network.

127.0.0.0/8 - This block is assigned for use as the Internet host loopback address. A datagram sent by a higher level protocol to an address anywhere within this block should loop back inside the host. This is ordinarily implemented using only 127.0.0.1/32 for loopback, but no addresses within this block should ever appear on any network anywhere [RFC1700, page 5]

localhost traffic can't be sniffed locally.

To answer the second part, it's protected from sniffing on the Internet, but localhost traffic can be sniffed on the host. Therefore if you have a breach via the Internet it would be possible for someone to obtain localhost traffic.

References

RFC3330