diff --git a/pkg/auth/auth.go b/pkg/auth/auth.go
index a7dfd989f..60bbeb462 100644
--- a/pkg/auth/auth.go
+++ b/pkg/auth/auth.go
@@ -21,7 +21,6 @@ import (
 	"crypto/rand"
 	"errors"
 	"fmt"
-	"net"
 	"net/http"
 	"os"
 	"strings"
@@ -260,10 +259,6 @@ func (da *DevAuth) AddAuthHeader(req *http.Request) {
 	req.SetBasicAuth("", da.Password)
 }
 
-func isLocalhost(addrPort net.IP) bool {
-	return addrPort.IsLoopback()
-}
-
 func IsLocalhost(req *http.Request) bool {
 	return httputil.IsLocalhost(req)
 }
diff --git a/pkg/httputil/auth.go b/pkg/httputil/auth.go
index b1cb957b6..c9f84988f 100644
--- a/pkg/httputil/auth.go
+++ b/pkg/httputil/auth.go
@@ -19,6 +19,7 @@ package httputil
 import (
 	"encoding/base64"
 	"fmt"
+	"log"
 	"net/http"
 	"os"
 	"regexp"
@@ -55,11 +56,17 @@ func IsLocalhost(req *http.Request) bool {
 	if uid == -1 || runtime.GOOS == "darwin" {
 		return from.IP.IsLoopback() && to.IP.IsLoopback()
 	}
-
+	if uid == 0 {
+		log.Printf("camlistored running as root. Don't do that.")
+		return false
+	}
 	if uid > 0 {
-		owner, err := netutil.AddrPairUserid(from, to)
-		if err == nil && owner == uid {
-			return true
+		connUid, err := netutil.AddrPairUserid(from, to)
+		if err == nil {
+			if uid == connUid {
+				return true
+			}
+			log.Printf("auth: local connection uid %d doesn't match server uid %d", connUid, uid)
 		}
 	}
 	return false