diff --git a/irc/gateways.go b/irc/gateways.go
index 5916c4ff..7bc1ea45 100644
--- a/irc/gateways.go
+++ b/irc/gateways.go
@@ -58,9 +58,11 @@ func webircHandler(server *Server, client *Client, msg ircmsg.IrcMessage) bool {
 				key = x
 			}
 
-			// only accept "tls" flag if the gateway's connection to us is secure as well
-			if strings.ToLower(key) == "tls" && client.flags[TLS] {
-				secure = true
+			if strings.ToLower(key) == "tls" {
+				// only accept "tls" flag if the gateway's connection to us is secure as well
+				if client.flags[TLS] || utils.AddrIsLocal(client.socket.conn.RemoteAddr()) {
+					secure = true
+				}
 			}
 		}
 	}
diff --git a/irc/utils/net.go b/irc/utils/net.go
index e56ab8de..bad537c2 100644
--- a/irc/utils/net.go
+++ b/irc/utils/net.go
@@ -25,6 +25,17 @@ func AddrLookupHostname(addr net.Addr) string {
 	return LookupHostname(IPString(addr))
 }
 
+// AddrIsLocal returns whether the address is from a trusted local connection (loopback or unix).
+func AddrIsLocal(addr net.Addr) bool {
+	if tcpaddr, ok := addr.(*net.TCPAddr); ok {
+		return tcpaddr.IP.IsLoopback()
+	}
+	if _, ok := addr.(*net.UnixAddr); ok {
+		return true
+	}
+	return false
+}
+
 // LookupHostname returns the hostname for `addr` if it has one. Otherwise, just returns `addr`.
 func LookupHostname(addr string) string {
 	names, err := net.LookupAddr(addr)