jehan,
A safer option would be to use a dev cas instance that is only accessible to subnets and VPN pools used only by the developers. As long as it's mostly stable (99% uptime), devs would be rarely inconvenienced. This assumes that you have a full dev infrastructure
(LDAP, databases, etc).
Another option: name the laptop such that locally running applications have a url that is similar to your institution url, and also set up a self signed certificate for that url (root, intermediate, and one terminal cert for every subdomain). If your institution
issues the certs instead (doing something like
https://letsencrypt.org/ for non publicly accessible machines), then this approach could be pushed to all devs.
I can see a publicly available localhost service being a target for ne'er-do-wells.
You can tighten up your service Id regex by escaping operator characters to eliminate look-alike urls:
https://.*\.our-domain\.fr/.*
Note I added a '.' before the '*' assuming that your regex was hastily created and not indicative of the one being used.
Ray