diff --git a/.gitignore b/.gitignore
index a6b65dcb966ba1d7fe7fcf774d04e05e0dc419ba..aebed19bf22e0b7ba835ffcbc1aafc977b6faab9 100644
--- a/.gitignore
+++ b/.gitignore
@@ -147,3 +147,7 @@ Sessionx.vim
 tags
 # Persistent undo
 [._]*.un~
+
+# Auto-generated development key/certificate
+devcert.crt
+devcert.key
diff --git a/run.py b/run.py
index 461c5deace37dcc8e97d615530f495cfa02505d2..b8ccfa5b4ba817566cc5759c8850a03452e73b5f 100755
--- a/run.py
+++ b/run.py
@@ -1,8 +1,15 @@
 #!/usr/bin/env python3
+from werkzeug.serving import make_ssl_devcert
+
 from uffd import *
 
 if __name__ == '__main__':
 	app = create_app()
 	init_db(app)
 	print(app.url_map)
-	app.run(threaded=True, debug=True)
+	if not os.path.exists('devcert.crt') or not os.path.exists('devcert.key'):
+		make_ssl_devcert('devcert')
+	# WebAuthn requires https and a hostname (not just an IP address). If you
+	# don't want to test U2F/FIDO2 device registration/authorization, you can
+	# safely remove `host` and `ssl_context`.
+	app.run(threaded=True, debug=True, host='localhost', ssl_context=('devcert.crt', 'devcert.key'))