From 09340b57d4c7c6684899a5783f8c472745b5d4f8 Mon Sep 17 00:00:00 2001 From: Nigusu Yenework Date: Tue, 28 Oct 2025 15:03:48 -0700 Subject: [PATCH 1/8] Add a general HTTPS everywhere doc --- docs/TOC.md | 1 + .../nuget-https-everywhere.md | 101 ++++++++++++++++++ 2 files changed, 102 insertions(+) create mode 100644 docs/consume-packages/nuget-https-everywhere.md diff --git a/docs/TOC.md b/docs/TOC.md index 0cf22d01f..a49bb6178 100644 --- a/docs/TOC.md +++ b/docs/TOC.md @@ -18,6 +18,7 @@ ### [Package Manager Console (PowerShell)](consume-packages/install-use-packages-powershell.md) ## Configure NuGet ### [Visual Studio options](consume-packages/nuget-visual-studio-options.md) +### [NuGet HTTPS Everywhere](consume-packages/nuget-https-everywhere.md) ### Package restore options #### [Restore packages](consume-packages/package-restore.md) #### [Troubleshooting](consume-packages/package-restore-troubleshooting.md) diff --git a/docs/consume-packages/nuget-https-everywhere.md b/docs/consume-packages/nuget-https-everywhere.md new file mode 100644 index 000000000..e947e7138 --- /dev/null +++ b/docs/consume-packages/nuget-https-everywhere.md @@ -0,0 +1,101 @@ +--- +title: NuGet HTTPS Everywhere +description: Learn why NuGet enforces HTTPS connections for package sources, what errors like NU1302 mean, and how to safely allow HTTP feeds when necessary. +author: Nigusu-Allehu +ms.author: nyenework +ms.date: 10/28/2025 +ms.topic: conceptual +--- + +# NuGet HTTPS Everywhere + +NuGet now requires all package sources to use **HTTPS** instead of **HTTP**. +This change enhances the security of the software supply chain by preventing tampering and interception during package restore and other operations. + +## Why HTTPS Everywhere? + +NuGet’s move to HTTPS Everywhere is part of a broader industry effort to secure the software supply chain. +HTTPS prevents attackers from intercepting or modifying package data and ensures that responses truly come from trusted sources. + +NuGet has gradually transitioned all traffic to HTTPS and now enforces it across client tools. +This protects developers from man-in-the-middle (MITM) attacks and aligns with federal and ecosystem-wide security standards. +For additional background, see the [.NET Blog: HTTPS Everywhere](https://devblogs.microsoft.com/dotnet/https-everywhere/). + +## Understanding the HTTP Error + +This error occurs when one or more package sources in your configuration use an **HTTP** URL instead of **HTTPS**. + +In earlier SDK versions, this scenario produced a **warning** ([`NU1803`](../reference/errors-and-warnings/nu1302.md)). +Beginning with **.NET SDK 9.0.100** and later, it now results in an **error** unless the use of HTTP sources is explicitly permitted. + +### Recommended Resolution + +Before allowing HTTP connections, confirm whether your package source supports HTTPS. +If it does, update the feed URL to use the secure protocol: + +```xml + +``` + +Switching to HTTPS ensures end-to-end encryption and is the recommended and a more secure approach. + +### Allowing HTTP Feeds (Opt-Out) + +If HTTPS is not available and you operate in a trusted or isolated environment, you can explicitly allow HTTP sources. + +#### Option 1: Configure in `NuGet.Config` + +Add the `allowInsecureConnections="true"` attribute to the affected source: + +```xml + + + + + + +``` + +#### Option 2: Use the Command-Line Parameter + +For commands that support it, include the following flag to temporarily permit HTTP connections: + +For **dotnet** commands: + +```bash +--allow-insecure-connections +``` + +For **NuGet.exe** commands, use: + +```powershell +-AllowInsecureConnections +``` + +#### Commands that support these options + +| Tool | Commands | Introduced In | +| -------------- | ------------------------- | --------------------------- | +| **nuget.exe** | `push` | NuGet **7.0** | +| **dotnet CLI** | `dotnet nuget push` | .NET **10.0.1xx** and newer | +| **dotnet CLI** | `dotnet nuget add source` | .NET **9.0.1xx** and newer | + +For **Visual Studio** steps, refer to +[NuGet Visual Studio Options – Allow Insecure Connections](https://learn.microsoft.com/nuget/consume-packages/nuget-visual-studio-options#allow-insecure-connections). + +## HTTPS Enforcement Rollout Across Tools + +NuGet’s HTTPS enforcement was introduced gradually across releases. +The following table summarizes the progression from **warnings (NU1803)** to **errors (NU1302)**. + +| Versions Affected | Behavior | +| ----------------------------------------------------- | --------------------------------------------------------------------- | +| Nuget.exe 6.3+, Visual Studio 17.3+, .NET 6.0.100+ | ⚠️ **Warning (NU1803)** – HTTP sources allowed but discouraged | +| NuGet.exe 6.12+, Visual Studio 17.12+, .NET 9.0.100+ | ❌ **Error (NU1302)** – HTTP sources blocked unless explicitly allowed| + +## See Also + +* [NU1302](../reference/errors-and-warnings/nu1302.md) +* [NU1803](../reference/errors-and-warnings/nu1803.md) +* [NuGet.Config Reference](../reference/nuget-config-file.md#packagesources) +* [NuGet Visual Studio Options](../consume-packages/nuget-visual-studio-options.md) From a98afb2c868e6f457aedf82fe62e442d2edf0516 Mon Sep 17 00:00:00 2001 From: Nigusu Solomon Yenework <59111203+Nigusu-Allehu@users.noreply.github.com> Date: Tue, 28 Oct 2025 15:14:25 -0700 Subject: [PATCH 2/8] Update docs/consume-packages/nuget-https-everywhere.md Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- docs/consume-packages/nuget-https-everywhere.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/consume-packages/nuget-https-everywhere.md b/docs/consume-packages/nuget-https-everywhere.md index e947e7138..318d391d6 100644 --- a/docs/consume-packages/nuget-https-everywhere.md +++ b/docs/consume-packages/nuget-https-everywhere.md @@ -25,7 +25,7 @@ For additional background, see the [.NET Blog: HTTPS Everywhere](https://devblog This error occurs when one or more package sources in your configuration use an **HTTP** URL instead of **HTTPS**. -In earlier SDK versions, this scenario produced a **warning** ([`NU1803`](../reference/errors-and-warnings/nu1302.md)). +In earlier SDK versions, this scenario produced a **warning** ([`NU1803`](../reference/errors-and-warnings/nu1803.md)). Beginning with **.NET SDK 9.0.100** and later, it now results in an **error** unless the use of HTTP sources is explicitly permitted. ### Recommended Resolution From a7346552c111d231e6509820ff86dedfc6426f3a Mon Sep 17 00:00:00 2001 From: Nigusu Solomon Yenework <59111203+Nigusu-Allehu@users.noreply.github.com> Date: Tue, 28 Oct 2025 15:14:39 -0700 Subject: [PATCH 3/8] Update docs/consume-packages/nuget-https-everywhere.md Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- docs/consume-packages/nuget-https-everywhere.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/consume-packages/nuget-https-everywhere.md b/docs/consume-packages/nuget-https-everywhere.md index 318d391d6..20501fdcc 100644 --- a/docs/consume-packages/nuget-https-everywhere.md +++ b/docs/consume-packages/nuget-https-everywhere.md @@ -81,7 +81,7 @@ For **NuGet.exe** commands, use: | **dotnet CLI** | `dotnet nuget add source` | .NET **9.0.1xx** and newer | For **Visual Studio** steps, refer to -[NuGet Visual Studio Options – Allow Insecure Connections](https://learn.microsoft.com/nuget/consume-packages/nuget-visual-studio-options#allow-insecure-connections). +[NuGet Visual Studio Options – Allow Insecure Connections](/nuget/consume-packages/nuget-visual-studio-options#allow-insecure-connections). ## HTTPS Enforcement Rollout Across Tools From 90ed2a2d4266ffdeedd5d011e5f210e3505db99b Mon Sep 17 00:00:00 2001 From: Nigusu Solomon Yenework <59111203+Nigusu-Allehu@users.noreply.github.com> Date: Tue, 28 Oct 2025 15:14:47 -0700 Subject: [PATCH 4/8] Update docs/consume-packages/nuget-https-everywhere.md Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- docs/consume-packages/nuget-https-everywhere.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/consume-packages/nuget-https-everywhere.md b/docs/consume-packages/nuget-https-everywhere.md index 20501fdcc..743a22138 100644 --- a/docs/consume-packages/nuget-https-everywhere.md +++ b/docs/consume-packages/nuget-https-everywhere.md @@ -37,7 +37,7 @@ If it does, update the feed URL to use the secure protocol: ``` -Switching to HTTPS ensures end-to-end encryption and is the recommended and a more secure approach. +Switching to HTTPS ensures end-to-end encryption and is the recommended and more secure approach. ### Allowing HTTP Feeds (Opt-Out) From bbc1bdf7718c9c32bea376382a46d4faa3ddbde2 Mon Sep 17 00:00:00 2001 From: Nigusu Solomon Yenework <59111203+Nigusu-Allehu@users.noreply.github.com> Date: Tue, 28 Oct 2025 15:14:56 -0700 Subject: [PATCH 5/8] Update docs/consume-packages/nuget-https-everywhere.md Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- docs/consume-packages/nuget-https-everywhere.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/consume-packages/nuget-https-everywhere.md b/docs/consume-packages/nuget-https-everywhere.md index 743a22138..9bd03154b 100644 --- a/docs/consume-packages/nuget-https-everywhere.md +++ b/docs/consume-packages/nuget-https-everywhere.md @@ -90,7 +90,7 @@ The following table summarizes the progression from **warnings (NU1803)** to **e | Versions Affected | Behavior | | ----------------------------------------------------- | --------------------------------------------------------------------- | -| Nuget.exe 6.3+, Visual Studio 17.3+, .NET 6.0.100+ | ⚠️ **Warning (NU1803)** – HTTP sources allowed but discouraged | +| NuGet.exe 6.3+, Visual Studio 17.3+, .NET 6.0.100+ | ⚠️ **Warning (NU1803)** – HTTP sources allowed but discouraged | | NuGet.exe 6.12+, Visual Studio 17.12+, .NET 9.0.100+ | ❌ **Error (NU1302)** – HTTP sources blocked unless explicitly allowed| ## See Also From cfa9e46f0ca48ad62051db0b79a06af809af7502 Mon Sep 17 00:00:00 2001 From: Nigusu Yenework Date: Tue, 4 Nov 2025 14:29:21 -0800 Subject: [PATCH 6/8] cleaner --- .../nuget-https-everywhere.md | 60 +++++++++---------- 1 file changed, 27 insertions(+), 33 deletions(-) diff --git a/docs/consume-packages/nuget-https-everywhere.md b/docs/consume-packages/nuget-https-everywhere.md index 9bd03154b..5d4c26bcd 100644 --- a/docs/consume-packages/nuget-https-everywhere.md +++ b/docs/consume-packages/nuget-https-everywhere.md @@ -9,24 +9,16 @@ ms.topic: conceptual # NuGet HTTPS Everywhere -NuGet now requires all package sources to use **HTTPS** instead of **HTTP**. -This change enhances the security of the software supply chain by preventing tampering and interception during package restore and other operations. - -## Why HTTPS Everywhere? - -NuGet’s move to HTTPS Everywhere is part of a broader industry effort to secure the software supply chain. -HTTPS prevents attackers from intercepting or modifying package data and ensures that responses truly come from trusted sources. - -NuGet has gradually transitioned all traffic to HTTPS and now enforces it across client tools. -This protects developers from man-in-the-middle (MITM) attacks and aligns with federal and ecosystem-wide security standards. -For additional background, see the [.NET Blog: HTTPS Everywhere](https://devblogs.microsoft.com/dotnet/https-everywhere/). +NuGet requires all package sources to use **HTTPS** instead of **HTTP**. +This enforcement protects the software supply chain by preventing tampering and interception during package restore and related operations. +NuGet enforces this requirement by producing an error and stopping the operation when an HTTP source is used. ## Understanding the HTTP Error This error occurs when one or more package sources in your configuration use an **HTTP** URL instead of **HTTPS**. -In earlier SDK versions, this scenario produced a **warning** ([`NU1803`](../reference/errors-and-warnings/nu1803.md)). -Beginning with **.NET SDK 9.0.100** and later, it now results in an **error** unless the use of HTTP sources is explicitly permitted. +In earlier NuGet versions, this scenario produced a **warning** ([`NU1803`](../reference/errors-and-warnings/nu1803.md)). +Beginning with [**NuGet 6.12**](release-notes/NuGet-6.12.md) and later, it now results in an **error** unless the use of HTTP sources is explicitly permitted. ### Recommended Resolution @@ -39,22 +31,14 @@ If it does, update the feed URL to use the secure protocol: Switching to HTTPS ensures end-to-end encryption and is the recommended and more secure approach. -### Allowing HTTP Feeds (Opt-Out) +### Allowing Insecure HTTP Feeds (Opt-Out) If HTTPS is not available and you operate in a trusted or isolated environment, you can explicitly allow HTTP sources. -#### Option 1: Configure in `NuGet.Config` +#### Option 1: Use visual studio -Add the `allowInsecureConnections="true"` attribute to the affected source: - -```xml - - - - - - -``` +For **Visual Studio** steps, refer to +[NuGet Visual Studio Options – Allow Insecure Connections](/nuget/consume-packages/nuget-visual-studio-options#allow-insecure-connections). #### Option 2: Use the Command-Line Parameter @@ -72,16 +56,26 @@ For **NuGet.exe** commands, use: -AllowInsecureConnections ``` -#### Commands that support these options +#### Commands that support opt-out options -| Tool | Commands | Introduced In | -| -------------- | ------------------------- | --------------------------- | -| **nuget.exe** | `push` | NuGet **7.0** | -| **dotnet CLI** | `dotnet nuget push` | .NET **10.0.1xx** and newer | -| **dotnet CLI** | `dotnet nuget add source` | .NET **9.0.1xx** and newer | +| Tool | Commands | Support for Allow Insecure Connection | +| -------------- | ------------------------- | ------------------------------------- | +| **nuget.exe** | `push` | NuGet **7.0** | +| **dotnet CLI** | `dotnet nuget push` | .NET **10.0.1xx** and newer | +| **dotnet CLI** | `dotnet nuget add source` | .NET **9.0.1xx** and newer | -For **Visual Studio** steps, refer to -[NuGet Visual Studio Options – Allow Insecure Connections](/nuget/consume-packages/nuget-visual-studio-options#allow-insecure-connections). +#### Option 3: Manually hand-edit your `NuGet.Config` + +Add the `allowInsecureConnections="true"` attribute to the affected source: + +```xml + + + + + + +``` ## HTTPS Enforcement Rollout Across Tools From b857da57756ecb1eea5886b239930bcf555af700 Mon Sep 17 00:00:00 2001 From: Nigusu Yenework Date: Tue, 4 Nov 2025 16:27:43 -0800 Subject: [PATCH 7/8] organize --- .../nuget-https-everywhere.md | 42 ++++++++++--------- 1 file changed, 22 insertions(+), 20 deletions(-) diff --git a/docs/consume-packages/nuget-https-everywhere.md b/docs/consume-packages/nuget-https-everywhere.md index 5d4c26bcd..ff078d46f 100644 --- a/docs/consume-packages/nuget-https-everywhere.md +++ b/docs/consume-packages/nuget-https-everywhere.md @@ -18,7 +18,7 @@ NuGet enforces this requirement by producing an error and stopping the operation This error occurs when one or more package sources in your configuration use an **HTTP** URL instead of **HTTPS**. In earlier NuGet versions, this scenario produced a **warning** ([`NU1803`](../reference/errors-and-warnings/nu1803.md)). -Beginning with [**NuGet 6.12**](release-notes/NuGet-6.12.md) and later, it now results in an **error** unless the use of HTTP sources is explicitly permitted. +Beginning with [**NuGet 6.12**](../release-notes/NuGet-6.12.md) and later, it now results in an **error** unless the use of HTTP sources is explicitly permitted. ### Recommended Resolution @@ -35,10 +35,25 @@ Switching to HTTPS ensures end-to-end encryption and is the recommended and more If HTTPS is not available and you operate in a trusted or isolated environment, you can explicitly allow HTTP sources. -#### Option 1: Use visual studio +#### Option 1: Set allowInsecureConnections in your `NuGet.Config` -For **Visual Studio** steps, refer to -[NuGet Visual Studio Options – Allow Insecure Connections](/nuget/consume-packages/nuget-visual-studio-options#allow-insecure-connections). +* **Using visual studio** + + For **Visual Studio** steps, refer to + [NuGet Visual Studio Options – Allow Insecure Connections](/nuget/consume-packages/nuget-visual-studio-options#allow-insecure-connections). + +* **Editing `NuGet.Config` manually** + + Add the `allowInsecureConnections="true"` attribute to the affected source: + + ```xml + + + + + + + ``` #### Option 2: Use the Command-Line Parameter @@ -64,28 +79,15 @@ For **NuGet.exe** commands, use: | **dotnet CLI** | `dotnet nuget push` | .NET **10.0.1xx** and newer | | **dotnet CLI** | `dotnet nuget add source` | .NET **9.0.1xx** and newer | -#### Option 3: Manually hand-edit your `NuGet.Config` - -Add the `allowInsecureConnections="true"` attribute to the affected source: - -```xml - - - - - - -``` - ## HTTPS Enforcement Rollout Across Tools NuGet’s HTTPS enforcement was introduced gradually across releases. -The following table summarizes the progression from **warnings (NU1803)** to **errors (NU1302)**. +The following table summarizes the progression from [**warnings (NU1803)**](../reference/errors-and-warnings/nu1803.md) to [**errors (NU1302)**](../reference/errors-and-warnings/nu1302.md). | Versions Affected | Behavior | | ----------------------------------------------------- | --------------------------------------------------------------------- | -| NuGet.exe 6.3+, Visual Studio 17.3+, .NET 6.0.100+ | ⚠️ **Warning (NU1803)** – HTTP sources allowed but discouraged | -| NuGet.exe 6.12+, Visual Studio 17.12+, .NET 9.0.100+ | ❌ **Error (NU1302)** – HTTP sources blocked unless explicitly allowed| +| [NuGet.exe 6.3](../release-notes/NuGet-6.3.md)+, Visual Studio 17.3+, .NET 6.0.100+ | ⚠️ **Warning (NU1803)** – HTTP sources allowed but discouraged | +| [NuGet.exe 6.12](../release-notes/NuGet-6.12.md)+, Visual Studio 17.12+, .NET 9.0.100+ | ❌ **Error (NU1302)** – HTTP sources blocked unless explicitly allowed| ## See Also From ab8710fbc56ba958c32c4e8aca56c4ecaaf901bc Mon Sep 17 00:00:00 2001 From: Nigusu Yenework Date: Tue, 4 Nov 2025 20:33:02 -0800 Subject: [PATCH 8/8] add ai assistance --- docs/consume-packages/nuget-https-everywhere.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/consume-packages/nuget-https-everywhere.md b/docs/consume-packages/nuget-https-everywhere.md index ff078d46f..47c97e01d 100644 --- a/docs/consume-packages/nuget-https-everywhere.md +++ b/docs/consume-packages/nuget-https-everywhere.md @@ -5,6 +5,7 @@ author: Nigusu-Allehu ms.author: nyenework ms.date: 10/28/2025 ms.topic: conceptual +ai-usage: ai-generated --- # NuGet HTTPS Everywhere @@ -37,12 +38,11 @@ If HTTPS is not available and you operate in a trusted or isolated environment, #### Option 1: Set allowInsecureConnections in your `NuGet.Config` -* **Using visual studio** +* **Use Visual Studio** - For **Visual Studio** steps, refer to - [NuGet Visual Studio Options – Allow Insecure Connections](/nuget/consume-packages/nuget-visual-studio-options#allow-insecure-connections). + Enable or disable allowing insecure HTTP connections with the [Package Sources settings](/nuget/consume-packages/nuget-visual-studio-options#allow-insecure-connections) under the Visual Studio options > **NuGet Package Manager**. -* **Editing `NuGet.Config` manually** +* **Edit `NuGet.Config` manually** Add the `allowInsecureConnections="true"` attribute to the affected source: