-
Notifications
You must be signed in to change notification settings - Fork 495
Add a general HTTPS everywhere doc #3498
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Merged
Changes from all commits
Commits
Show all changes
8 commits
Select commit
Hold shift + click to select a range
09340b5
Add a general HTTPS everywhere doc
Nigusu-Allehu a98afb2
Update docs/consume-packages/nuget-https-everywhere.md
Nigusu-Allehu a734655
Update docs/consume-packages/nuget-https-everywhere.md
Nigusu-Allehu 90ed2a2
Update docs/consume-packages/nuget-https-everywhere.md
Nigusu-Allehu bbc1bdf
Update docs/consume-packages/nuget-https-everywhere.md
Nigusu-Allehu cfa9e46
cleaner
Nigusu-Allehu b857da5
organize
Nigusu-Allehu ab8710f
add ai assistance
Nigusu-Allehu File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Some comments aren't visible on the classic Files Changed page.
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,97 @@ | ||
| --- | ||
| title: NuGet HTTPS Everywhere | ||
| description: Learn why NuGet enforces HTTPS connections for package sources, what errors like NU1302 mean, and how to safely allow HTTP feeds when necessary. | ||
| author: Nigusu-Allehu | ||
| ms.author: nyenework | ||
| ms.date: 10/28/2025 | ||
| ms.topic: conceptual | ||
| ai-usage: ai-generated | ||
| --- | ||
|
|
||
| # NuGet HTTPS Everywhere | ||
|
|
||
| NuGet requires all package sources to use **HTTPS** instead of **HTTP**. | ||
| This enforcement protects the software supply chain by preventing tampering and interception during package restore and related operations. | ||
| NuGet enforces this requirement by producing an error and stopping the operation when an HTTP source is used. | ||
|
|
||
| ## Understanding the HTTP Error | ||
|
|
||
| This error occurs when one or more package sources in your configuration use an **HTTP** URL instead of **HTTPS**. | ||
|
|
||
| In earlier NuGet versions, this scenario produced a **warning** ([`NU1803`](../reference/errors-and-warnings/nu1803.md)). | ||
| Beginning with [**NuGet 6.12**](../release-notes/NuGet-6.12.md) and later, it now results in an **error** unless the use of HTTP sources is explicitly permitted. | ||
|
|
||
| ### Recommended Resolution | ||
|
|
||
| Before allowing HTTP connections, confirm whether your package source supports HTTPS. | ||
| If it does, update the feed URL to use the secure protocol: | ||
|
|
||
| ```xml | ||
| <add key="MyFeed" value="https://contoso/packages/v3/index.json" /> | ||
| ``` | ||
|
|
||
| Switching to HTTPS ensures end-to-end encryption and is the recommended and more secure approach. | ||
|
|
||
| ### Allowing Insecure HTTP Feeds (Opt-Out) | ||
|
|
||
| If HTTPS is not available and you operate in a trusted or isolated environment, you can explicitly allow HTTP sources. | ||
Nigusu-Allehu marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
| #### Option 1: Set allowInsecureConnections in your `NuGet.Config` | ||
|
|
||
| * **Use Visual Studio** | ||
|
|
||
| Enable or disable allowing insecure HTTP connections with the [Package Sources settings](/nuget/consume-packages/nuget-visual-studio-options#allow-insecure-connections) under the Visual Studio options > **NuGet Package Manager**. | ||
|
|
||
| * **Edit `NuGet.Config` manually** | ||
|
|
||
| Add the `allowInsecureConnections="true"` attribute to the affected source: | ||
|
|
||
| ```xml | ||
| <?xml version="1.0" encoding="utf-8"?> | ||
| <configuration> | ||
| <packageSources> | ||
| <add key="MyHttpFeed" value="http://contoso/packages/v3/index.json" allowInsecureConnections="true" /> | ||
| </packageSources> | ||
| </configuration> | ||
| ``` | ||
|
|
||
| #### Option 2: Use the Command-Line Parameter | ||
Nigusu-Allehu marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
| For commands that support it, include the following flag to temporarily permit HTTP connections: | ||
|
|
||
| For **dotnet** commands: | ||
|
|
||
| ```bash | ||
| --allow-insecure-connections | ||
| ``` | ||
|
|
||
| For **NuGet.exe** commands, use: | ||
|
|
||
| ```powershell | ||
| -AllowInsecureConnections | ||
| ``` | ||
|
|
||
| #### Commands that support opt-out options | ||
|
|
||
| | Tool | Commands | Support for Allow Insecure Connection | | ||
| | -------------- | ------------------------- | ------------------------------------- | | ||
| | **nuget.exe** | `push` | NuGet **7.0** | | ||
| | **dotnet CLI** | `dotnet nuget push` | .NET **10.0.1xx** and newer | | ||
| | **dotnet CLI** | `dotnet nuget add source` | .NET **9.0.1xx** and newer | | ||
|
|
||
| ## HTTPS Enforcement Rollout Across Tools | ||
|
|
||
| NuGet’s HTTPS enforcement was introduced gradually across releases. | ||
| The following table summarizes the progression from [**warnings (NU1803)**](../reference/errors-and-warnings/nu1803.md) to [**errors (NU1302)**](../reference/errors-and-warnings/nu1302.md). | ||
|
|
||
| | Versions Affected | Behavior | | ||
| | ----------------------------------------------------- | --------------------------------------------------------------------- | | ||
| | [NuGet.exe 6.3](../release-notes/NuGet-6.3.md)+, Visual Studio 17.3+, .NET 6.0.100+ | ⚠️ **Warning (NU1803)** – HTTP sources allowed but discouraged | | ||
| | [NuGet.exe 6.12](../release-notes/NuGet-6.12.md)+, Visual Studio 17.12+, .NET 9.0.100+ | ❌ **Error (NU1302)** – HTTP sources blocked unless explicitly allowed| | ||
|
|
||
| ## See Also | ||
|
|
||
| * [NU1302](../reference/errors-and-warnings/nu1302.md) | ||
| * [NU1803](../reference/errors-and-warnings/nu1803.md) | ||
| * [NuGet.Config Reference](../reference/nuget-config-file.md#packagesources) | ||
| * [NuGet Visual Studio Options](../consume-packages/nuget-visual-studio-options.md) | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wonder if this concept needs its own heading.
I wonder if it should be contained within some sources write-up.
I couldn't find a source write-up, so I'm not gonna ask you to write a new doc for this. I'm curious what others think.
We can always leave it as is and then do some more docs later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I had a similar question in the beginning; however, I did not find perfect spot where I could put this doc in. I will look again. If there are any suggestions, please let me know.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree this seems like it should not be a top-level section, but I think we can edit the Index easily enough later.