When we first published the plan for the effort of HTTPS everywhere<\/a>, we wanted to get developer community feedback on the various HTTP and HTTPS scenarios that we don’t have much everyday visibility of. After we published that blog, we heard you loud and clear<\/a> that there was a gap. This plan needed a clear way to suppress the eventual error case when a non-HTTPS source is used due to various scenarios where you are able to accept the security risk.<\/p>\n We’ve recently added such functionality that will allow you to do just that. In NuGet 6.8, you will be able add the Here’s an example:<\/p>\n In this example, the insecure http source called For how we got here, we took all the community feedback to come up with an open source proposal<\/a> on what we believe will improve this experience. Next, we created an epic of including this functionality in all the various NuGet tooling<\/a>. You should see this functionality in NuGet 6.8, .NET SDK 8.0.100, and Visual Studio 17.8.<\/p>\n We will continue on the original plan’s trajectory of upgrading this warning into an error when non-HTTPS sources are used. The only difference is that you will now be able to opt-out of this behavior. Keep an eye on the NuGet official release notes<\/a> for when that will be.<\/p>\n Your feedback is important to us. If there are any problems with this experience, check our GitHub Issues<\/a> and Visual Studio Developer Community<\/a> for existing issues. For new issues within NuGet, please report a GitHub Issue<\/a>. For general NuGet experience issues, let us know via the Report a Problem<\/a> option found in your favorite IDE under Mistakes were made When we first published the plan for the effort of HTTPS everywhere, we wanted to get developer community feedback on the various HTTP and HTTPS scenarios that we don’t have much everyday visibility of. After we published that blog, we heard you loud and clear that there was a gap. This plan […]<\/p>\n","protected":false},"author":551,"featured_media":56240,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[7874,7928,326],"tags":[],"class_list":["post-2867","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-nuget","category-other-announcements","category-security"],"acf":[],"blog_post_summary":" Mistakes were made When we first published the plan for the effort of HTTPS everywhere, we wanted to get developer community feedback on the various HTTP and HTTPS scenarios that we don’t have much everyday visibility of. After we published that blog, we heard you loud and clear that there was a gap. This plan […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/posts\/2867","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/users\/551"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/comments?post=2867"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/posts\/2867\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/media\/56240"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/media?parent=2867"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/categories?post=2867"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/tags?post=2867"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}allowInsecureConnections<\/code> attribute to your respective packageSources<\/code> in your nuget.config<\/code> to enable or disable this functionality. The default is allowInsecureConnections=\"false\"<\/code>.<\/p>\n<packageSources>\n <clear \/> \n <add key=\"nuget.org\" value=\"https:\/\/api.nuget.org\/v3\/index.json\" protocolVersion=\"3\" \/>\n <add key=\"Contoso\" value=\"http:\/\/contoso.com\/packages\/\" allowInsecureConnections=\"true\" \/>\n <add key=\"Test Source\" value=\"c:\\packages\" \/>\n<\/packageSources>\n<\/code><\/pre>\nContoso<\/code> has the allowInsecureConnections<\/code> attribute set to true<\/code> and therefore will ignore any default non-HTTPS warnings and errors.<\/p>\nHow we’ve made it right<\/h2>\n
Continuing on<\/h2>\n
Feedback<\/h2>\n
Help > Report a Problem<\/code>.<\/p>\n","protected":false},"excerpt":{"rendered":"