HTTPS Everywhere Update
Mistakes were made
When we first published the plan for the effort of HTTPS everywhere, we wanted to get developer community feedback on the various HTTP and HTTPS scenarios that we don’t have much everyday visibility of. After we published that blog, we heard you loud and clear that there was a gap. This plan needed a clear way to suppress the eventual error case when a non-HTTPS source is used due to various scenarios where you are able to accept the security risk.
We’ve recently added such functionality that will allow you to do just that. In NuGet 6.8, you will be able add the
allowInsecureConnections attribute to your respective
packageSources in your
nuget.config to enable or disable this functionality. The default is
Here’s an example:
<add key="nuget.org" value="https://api.nuget.org/v3/index.json" protocolVersion="3" />
<add key="Contoso" value="http://contoso.com/packages/" allowInsecureConnections="true" />
<add key="Test Source" value="c:\packages" />
In this example, the insecure http source called
Contoso has the
allowInsecureConnections attribute set to
true and therefore will ignore any default non-HTTPS warnings and errors.
How we’ve made it right
For how we got here, we took all the community feedback to come up with an open source proposal on what we believe will improve this experience. Next, we created an epic of including this functionality in all the various NuGet tooling. You should see this functionality in NuGet 6.8, .NET SDK 8.0.100, and Visual Studio 17.8.
We will continue on the original plan’s trajectory of upgrading this warning into an error when non-HTTPS sources are used. The only difference is that you will now be able to opt-out of this behavior. Keep an eye on the NuGet official release notes for when that will be.
Your feedback is important to us. If there are any problems with this experience, check our GitHub Issues and Visual Studio Developer Community for existing issues. For new issues within NuGet, please report a GitHub Issue. For general NuGet experience issues, let us know via the Report a Problem option found in your favorite IDE under
Help > Report a Problem.