HTTPS everywhere

Jon Douglas

Safety guaranteed

As an ongoing effort to make HTTPS everywhere a reality for NuGet, we have taken a number of steps to help protect your everyday package management experiences.

Earlier this year, a security fact sheet from The White House reinforced companies to take action to secure our software supply chains.

HTTPS and SSL not only encrypt our data so it cannot be used if it is stolen, but it helps us to avoid MITM attacks. In short, it prevents someone from getting between you and NuGet. Every time you interact with NuGet, it should be over HTTPS so you can be sure the response you’re getting back is in fact being delivered by NuGet.

NuGet is HTTPS everywhere

Historically NuGet was only available over HTTP or unvalidated HTTPS connections. Over time and as HTTPS became more prevalent, we’ve been pushing more and more traffic onto HTTPS as a best practice.

On NuGet.org, we even made the decision to redirect API URLs from HTTP to HTTPS. These redirects over the HTTPS connections issue a HSTS header that instructs any supporting client to default to HTTPS from now on. If you were to access a HTTP URL however, it would silently redirect to HTTPS and appear to work, but you wouldn’t get any of the security properties of TLS because an attacker could intercept the request prior to the redirect happening.

For NuGet client experiences, we will be pushing towards the use of HTTPS sources as an on-going effort to bring HTTPS everywhere.

What You Can Expect

  • In NuGet 6.3, we have introduced a new NU1803 warning that will let you know that you’re using a non-HTTPS source.
  • In November 2023, we will upgrade that warning into a new error when a non-HTTPS source is used. You will be able to opt-out of this behavior for the time being to help migrate to HTTPS sources.
  • In November 2024, we will throw an error when a non-HTTPS source is used. You will not be able to opt-out of this behavior.

If you are unable to upgrade to a HTTPS source for reasons outside of your control, do work with your package source provider and provide us your feedback on your workflow so we are aware of it.

Closing

While older versions of NuGet will not include these changes for now, it is always recommended that you upgrade your tooling to the latest versions to ensure it supports verified TLS connections and default to proper HTTPS URLs.

For more details on NuGet 6.3, see our official release notes.

Feedback

Your feedback is important to us. If there are any problems with this experience, check our GitHub Issues and Visual Studio Developer Community for existing issues. For new issues within NuGet, please report a GitHub Issue. For general NuGet experience issues, let us know via the Report a Problem option found in your favorite IDE under Help > Report a Problem.