This is related to this question: Do I need to encrypt connections inside a network?, but I'm taking it a step further.
We have an application that uses a lot of microservices that are hosted on the same physical machine, and the microservices are exposed using HTTP (without the S). So they would be configured with an endpoint of "http://localhost/service/action" or something similar. These interactions are sensitive, containing personal financial data, session keys, and so forth, but are never issued across a network.
For connections like these, what value, if any, is there in switching it to https? I am looking for any mitigative benefit (does it reduce the exposure to certain known attack vectors) or any compliance benefit (e.g. even if it has no actual value, is it required by PCI-DSS?)
