Skip "production" audits when in development

[kaycebasques]

localhost is considered a secure origin, right? So people who only audit their page via localhost will get false positives on the "Uses HTTPS" audit?

Something like this could be helpful:

"It looks like you're running your page locally. The results of this audit may change when you deploy your site to its production URL. To ensure that your page really does use HTTPS, make sure to audit this page again, using the production URL."

Generally speaking, it may be worthwhile to have just one top-level warning about localhost, and a reminder about the need to audit the production URL.

[metasean]

It would also be nice to have some type of option to skip https audits when testing on localhost.

For example, I've got a super-simple PWA in development with 4 https-related failures. At this point, I really don't care about https failures — because they should be resolved on the production server. So, instead of having to figure out why I'm not getting a 100 when testing on localhost, I'd prefer a command to the effect of lighthouse localhost:8000 --skip-ssl-audits so that not getting a 100 actually means that I need to read and act on the audits (other than deploying to production).

In keeping with @kaycebasques' comment, I would add a comment at the end of the CLI feedback and on the Lighthouse Report indicating that https audits were skipped on localhost.

I would also allow the flag to only work on a localhost, 127.x.x.x, 192.168.x.x urls.

[patrickhulce]

beyond just https there are several audits that only make sense in the context of a production deployment that it would be nice to have an all-encompassing "dev mode" where only audits that make sense to run during development would be run and we'd inject placeholders for the production checks so there are no surprises later

[patrickhulce]

Could use #1512 to surface some of these warnings.

[marco-eckstein]

I have created the tool lighthouse-ignore that may help.

[connorjclark]

Since this issue was filed, we made insecure https localhost a fatal error (but are considering reverting that here: #8865). We then want to create an insecure https audit if https:// is used with an invalid cert.

This issue requests a way to silence audits that fail due to common and expected differences in development vs production environments. FWIW, this is already possible with a custom config (just extend the default and turn off what you don't like).

We could support this pretty easily with a default-development config + a shorthand --use-development-config for config-path=./lighthouse-core/config/default-development.js. maybe even use that by default if localhost.

[brendankenny]

http/https checks should be much better now on localhost. I'll leave this issue open to track --preset=dev if that's still desired for other audits.

[connorjclark]

#11766 handled a lot (all?) of these cases. So, let's close.

[paulirish]

I think core(url): redirects-http => n/a for localhost. refactor url special cases by paulirish · #11766 sorted this out.

redirects-http, uses-http2, is-on-https are the key ones. but yeah i think they're all good now.