So, it appears that we constantly redirect you if you don't provide us with a (valid) JSESSIONID cookie. You can e.g. tell curl to store one with the -c flag - so:
❯ curl -L 'http://localhost:8088/'
curl: (47) Maximum (50) redirects followed
Whereas with -c:
❯ curl -L 'http://localhost:8088/' -c cookies.txt
<!DOCTYPE html>
<html>
(omitted ...)
I don't know enough about curl to know if there's a way to recycle cookies across redirects without requiring an actual file for storage.
My guess is your Firefox private session is set to a stricter mode that doesn't accept any cookies, even to store temporarily while the session is open, and that's why you get into a redirect loop. My Firefox, even in private mode, is able to connect to localhost:8088 just fine, so that might be a setting you can configure.
This is possibly a bug (I don't really know the internal mechanisms well enough to judge confidently) but even if it we do treat it as such, it'll be some time before we can issue a fix, so you may as well try to work around it.