I also want to repeat my advice to use private browsing mode, or a separate browser profile, when accessing the Nxt server at localhost. It is a known issue that localhost url's containing the user secret phrase are retained in the browser memory cache. Could a malicious javascript planted on some website access and retrieve those?