@Tejzeratul: Sure. The sad fact is, that I don't know yet how to setup HTTPS in dev mode and also don't want to bother with certificates etc. while still developping. It is a different thing to set up HTTPS on a production server, but my dev machine is not even reachable from the internet. @nneonneo: Thank you very much! I immediately tried out ngrok, and I immediately ran into CSRF problems: The login form was posted to http://...ngrok-free-app, and the request origin was https:/...ngrok-free-app, so node_modules/@sveltejs/kit/src/runtime/server/respond.js throw a "Cross-site POST form submissions are forbidden" error. After trying more elegant approaches, I switched off CSRF protection. See above, I added a fourth step.