What if citserver listened on an auxiliary port in order to perform this kind of transaction, in a space that would not have access to any other data than what is absolutely needed? Webcit already needs to know where the citserver process is running from, so it would not mean any additional inconvenience for the admin setting it up. Since it's a one-time setup, I think security impacts of using a non-secured TCP connection for this exchange could be overlooked.
A case where 'localhost' is used would also need to be looked into, since that is the third type of FQDN that could be used to connect Webcit to citserver.