NuGet · Nigusu-Allehu · Nov 3, 2025 · Nov 4, 2025 · Nov 5, 2025 · Nov 5, 2025
@@ -18,6 +18,7 @@
 ### [Package Manager Console (PowerShell)](consume-packages/install-use-packages-powershell.md)
 ## Configure NuGet
 ### [Visual Studio options](consume-packages/nuget-visual-studio-options.md)
+### [NuGet HTTPS Everywhere](consume-packages/nuget-https-everywhere.md)
 ### Package restore options
 #### [Restore packages](consume-packages/package-restore.md)
 #### [Troubleshooting](consume-packages/package-restore-troubleshooting.md)

@@ -73,6 +73,84 @@ To verify that the MCP server is working correctly, open the GitHub Copilot Chat
 Then click the Tools icon in the bottom toolbar to bring up the Tools menu.
 You should see the MCP server named "nuget" in the list of available servers.
 
+## Getting started in GitHub Copilot Agent
+
+You can also configure the MCP Server to work with GitHub Copilot as a Coding Agent in your repositories.
+Ensure that you configured your repository to use [GitHub Copilot Coding Agents](https://github.com/settings/copilot/coding_agent).
+
+Browse to your repository and click the Settings tab.
+Expand the Copilot section and click on Coding Agents.
+
+![GitHub Copilot coding agent settings](./media/github-copilot-agent-settings.png)
+
+Scroll down to the **Model Context Protocol (MCP)** section and add the following JSON snippet to your `mcpServers` configuration:
+
+```json
+{ 
+  "mcpServers": {
+    "NuGet": {
+      "type": "local",
+      "command": "dnx",
+      "args": ["NuGet.Mcp.Server", "--yes"],
+      "tools": ["*"],
+      "env": {}
+    }
+  } 
+}
+```
+
+This will make all of NuGet's MCP server tools available. If you want specific tools, you can list them in the `"tools"` parameter array.
+
+Finally, click the **Save MCP configuration** button to save your changes.
+
+Now that the NuGet MCP is configured, you will also need to create a GitHub Actions workflow to install .NET 10 Preview 6 or higher so that the `dnx` command is available to run the MCP server.
+You can do this by creating the following workflow file in your repository at
+
+`.github/workflows/copilot-setup-steps.yml`
+
+The contents of this workflow file should be as follows:
+
+```yml
+name: "Copilot Setup Steps"
+
+# Automatically run the setup steps when they are changed to allow for easy validation, and
+# allow manual testing through the repository's "Actions" tab
+on:
+  workflow_dispatch:
+  push:
+    paths:
+      - .github/workflows/copilot-setup-steps.yml
+  pull_request:
+    paths:
+      - .github/workflows/copilot-setup-steps.yml
+
+jobs:
+  # The job MUST be called `copilot-setup-steps` or it will not be picked up by Copilot.
+  copilot-setup-steps:
+    runs-on: ubuntu-latest
+
+    # Set the permissions to the lowest permissions possible needed for your steps.
+    # Copilot will be given its own token for its operations.
+    permissions:
+      # If you want to clone the repository as part of your setup steps, for example to install dependencies, you'll need the `contents: read` permission. If you don't clone the repository in your setup steps, Copilot will do this for you automatically after the steps complete.
+      contents: read
+
+    # You can define any steps you want, and they will run before the agent starts.
+    # If you do not check out your code, Copilot will do this for you.
+    steps:
+      - name: Install .NET 10.x
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: |
+            10.x
+          dotnet-quality: preview
+
+      - name: dotnet --info
+        run: dotnet --info
+```
+
+This will ensure that the `dnx` command is available to run the NuGet MCP server when GitHub Copilot runs as a coding agent in your repository.
+
 ## Fixing package vulnerabilities
 
 The NuGet MCP server can help you identify and fix package vulnerabilities in your project.

@@ -0,0 +1,97 @@
+---
+title: NuGet HTTPS Everywhere
+description: Learn why NuGet enforces HTTPS connections for package sources, what errors like NU1302 mean, and how to safely allow HTTP feeds when necessary.
+author: Nigusu-Allehu
+ms.author: nyenework
+ms.date: 10/28/2025
+ms.topic: conceptual
+ai-usage: ai-generated
+---
+
+# NuGet HTTPS Everywhere
+
+NuGet requires all package sources to use **HTTPS** instead of **HTTP**.
+This enforcement protects the software supply chain by preventing tampering and interception during package restore and related operations.
+NuGet enforces this requirement by producing an error and stopping the operation when an HTTP source is used.
+
+## Understanding the HTTP Error
+
+This error occurs when one or more package sources in your configuration use an **HTTP** URL instead of **HTTPS**.
+
+In earlier NuGet versions, this scenario produced a **warning** ([`NU1803`](../reference/errors-and-warnings/nu1803.md)).
+Beginning with  [**NuGet 6.12**](../release-notes/NuGet-6.12.md) and later, it now results in an **error** unless the use of HTTP sources is explicitly permitted.
-Beginning with  [**NuGet 6.12**](../release-notes/NuGet-6.12.md) and later, it now results in an **error** unless the use of HTTP sources is explicitly permitted.
+Beginning with [**NuGet 6.12**](../release-notes/NuGet-6.12.md) and later, it now results in an **error** unless the use of HTTP sources is explicitly permitted.
-Beginning with  [**NuGet 6.12**](../release-notes/NuGet-6.12.md) and later, it now results in an **error** unless the use of HTTP sources is explicitly permitted.
+Beginning with [**NuGet 6.12**](../release-notes/NuGet-6.12.md) and later, it now results in an **error** unless the use of HTTP sources is explicitly permitted.
+
+### Recommended Resolution
+
+Before allowing HTTP connections, confirm whether your package source supports HTTPS.
+If it does, update the feed URL to use the secure protocol:
+
+```xml
+<add key="MyFeed" value="https://contoso/packages/v3/index.json" />
+```
+
+Switching to HTTPS ensures end-to-end encryption and is the recommended and more secure approach.
+
+### Allowing Insecure HTTP Feeds (Opt-Out)
+
+If HTTPS is not available and you operate in a trusted or isolated environment, you can explicitly allow HTTP sources.
+
+#### Option 1: Set allowInsecureConnections in your `NuGet.Config`
+
+* **Use Visual Studio**
+
+  Enable or disable allowing insecure HTTP connections with the [Package Sources settings](/nuget/consume-packages/nuget-visual-studio-options#allow-insecure-connections) under the Visual Studio options > **NuGet Package Manager**.
+
+* **Edit `NuGet.Config` manually**
+
+  Add the `allowInsecureConnections="true"` attribute to the affected source:
+
+  ```xml
+  <?xml version="1.0" encoding="utf-8"?>
+  <configuration>
+    <packageSources>
+      <add key="MyHttpFeed" value="http://contoso/packages/v3/index.json" allowInsecureConnections="true" />
+    </packageSources>
+  </configuration>
+  ```
+
+#### Option 2: Use the Command-Line Parameter
+
+For commands that support it, include the following flag to temporarily permit HTTP connections:
+
+For **dotnet** commands:
+
+```bash
+--allow-insecure-connections
+```
+
+For **NuGet.exe** commands, use:
+
+```powershell
+-AllowInsecureConnections
+```
+
+#### Commands that support opt-out options
+
+| Tool           | Commands                  | Support for Allow Insecure Connection |
+| -------------- | ------------------------- | ------------------------------------- |
+| **nuget.exe**  | `push`                    |  NuGet **7.0**                        |
+| **dotnet CLI** | `dotnet nuget push`       | .NET **10.0.1xx** and newer           |
+| **dotnet CLI** | `dotnet nuget add source` | .NET **9.0.1xx** and newer            |
+
+## HTTPS Enforcement Rollout Across Tools
+
+NuGet’s HTTPS enforcement was introduced gradually across releases.
+The following table summarizes the progression from [**warnings (NU1803)**](../reference/errors-and-warnings/nu1803.md) to [**errors (NU1302)**](../reference/errors-and-warnings/nu1302.md).
+
+| Versions Affected                                     | Behavior                                                              |
+| ----------------------------------------------------- | --------------------------------------------------------------------- |
+| [NuGet.exe 6.3](../release-notes/NuGet-6.3.md)+, Visual Studio 17.3+, .NET 6.0.100+   |  ⚠️ **Warning (NU1803)** – HTTP sources allowed but discouraged        |
+| [NuGet.exe 6.12](../release-notes/NuGet-6.12.md)+, Visual Studio 17.12+, .NET 9.0.100+  | ❌ **Error (NU1302)** – HTTP sources blocked unless explicitly allowed|
+
+## See Also
+
+* [NU1302](../reference/errors-and-warnings/nu1302.md)
+* [NU1803](../reference/errors-and-warnings/nu1803.md)
+* [NuGet.Config Reference](../reference/nuget-config-file.md#packagesources)
+* [NuGet Visual Studio Options](../consume-packages/nuget-visual-studio-options.md)
@@ -10,6 +10,8 @@ f1_keywords:
 
 # NuGet Error NU1302
 
+## Scenario 1
+
 > You are running the 'restore' operation with an 'HTTP' source: myHttpSource. NuGet requires HTTPS sources. To use an HTTP source, you must explicitly set 'allowInsecureConnections' to true in your NuGet.Config file. Please refer to https://aka.ms/nuget-https-everywhere for more information.
 
 ### Issue
@@ -53,3 +55,34 @@ Here's how it functions:
 
 > [!WARNING]
 > Changing SdkAnalysisLevel has other side-effects. Refer to the [`SdkAnalysisLevel`](/dotnet/core/project-sdk/msbuild-props#sdkanalysislevel) for a summary of the full scope of .NET SDK features affected.
+
+## Scenario 2
+
+> You are using a NuGet source 'https://contoso/v3/index.json' that contains an 'HTTP' service index resource endpoint: 'http://contoso/v3-flatcontainer/contoso/index.json'. This is insecure and not recommended. To allow HTTP resources, you must explicitly set 'allowInsecureConnections' to true in your NuGet.Config file. For more information, visit https://aka.ms/nuget-https-everywhere.
+
+### Issue
+
+A configured package source uses **HTTPS**, but one of its resources (indicated in the error message) uses **HTTP**.
+
+NuGet requires that all sources and their resources use HTTPS.
+If you want to continue using this source despite its HTTP resource, you must set the `allowInsecureConnections` flag to true in your NuGet.config file.
+
+To learn more about package sources and resource endpoints, take a look at the [NuGet Server API](../../api/overview).
+
+#### Option 1: Update the Source to Use HTTPS
+
+Whenever possible, switch to a package source that provides only HTTPS resources. This is the recommended and most secure option.
+
+#### Option 2: Allow Insecure Connections (If Necessary)
+
+If you must use the source, explicitly allow insecure connections by adding the `allowInsecureConnections` flag in the `NuGet.Config`:
+
+For information about managing the setting in Visual Studio, see [NuGet Options in Visual Studio](../../consume-packages/nuget-visual-studio-options.md#allow-insecure-connections)
+
+```xml
+<configuration>
+  <packageSources>
+    <add key="InsecureSource" value="https://contoso/v3/index.json" allowInsecureConnections="true" />
+  </packageSources>
+</configuration>
+```
@@ -33,7 +33,7 @@ For more information, see [the documentation on auditing packages](../../concept
 
 ### Solution
 
-We have [a blog post](https://devblogs.microsoft.com/nuget/nugetaudit-2-0-elevating-security-and-trust-in-package-management/) with more discussion about our recommended actions when your project uses a package with a known vulnerability, and tools that can help.
+We have [documentation on upgrading vulnerable packages](../../concepts/Auditing-Packages.md#actions-when-packages-with-known-vulnerabilities-are-reported) that goes in more detail about our recommended actions when your project uses a package with a known vulnerability, and tools that can help.
 
 Upgrading to a newer version of the package is likely to resolve the warning.
 If your project does not reference the package directly (it's a transitive package), [`dotnet nuget why`](/dotnet/core/tools/dotnet-nuget-why) can be used to understand which package caused it to be included in your project.