Do internal apps really need HTTPS if they're not on the public internet?
Yes. Internal networks are routinely compromised, and unencrypted traffic leaks credentials and session cookies to anyone on the LAN.
"Internal" is not a security boundary. A single compromised laptop, a malicious insider, or an attacker who pivoted through VPN can sniff plaintext traffic.
HTTPS also protects against tampering — without it, an attacker on the network can inject JavaScript or modify API responses in transit.
Use an internal certificate authority (e.g. step-ca, HashiCorp Vault, or a managed PKI) or a public CA via ACME with split-horizon DNS. Both are free and automatable.
Bonus: many browser features (Service Workers, Clipboard API, modern auth) only work over HTTPS, so internal apps without TLS gradually break over time.
Upvotes help us prioritise what to answer next.