I agree that clients normally don't know full spec because no one works on that.
One way I find very helpful in mitigating this is by getting a prototype of system, a detailed prototype made which goes a long way to clarify specs for the client and help me understand the scope.
I found transitioning to non hourly project billing extremely satisfying.
> non-secured HTTP still makes sense for example during development
To make it easier & cleaner in development, it's best to make yourself a Certificate Authority CA and issues local certificates. This makes for no warnings in browsers and ensures a better development experience.