Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Scenario 1
You are running the 'restore' operation with an 'HTTP' source: myHttpSource. NuGet requires HTTPS sources. To use an HTTP source, you must explicitly set 'allowInsecureConnections' to true in your NuGet.Config file. Please refer to https://aka.ms/nuget-https-everywhere for more information.
Issue
myHttpSource is an insecure HTTP source. We recommend using an HTTPS source instead.
Solution
Option 1: Update the Source to Use HTTPS
If possible, update the package source to use https:// instead of http://:
<configuration>
<packageSources>
<add key="SecureSource" value="https://example.com/nuget/" />
</packageSources>
</configuration>
Option 2: Allow Insecure Connections (If Necessary)
If the source must remain HTTP, explicitly allow insecure connections by adding the AllowInsecureConnections flag in the NuGet.Config:
<configuration>
<packageSources>
<add key="InsecureSource" value="http://example.com/nuget/" allowInsecureConnections="true" />
</packageSources>
</configuration>
Option 3: Consult SDK Analysis Level
The SdkAnalysisLevel property in your project can serve as a temporary workaround for managing HTTP sources.
If additional time is needed to resolve the HTTP error, you can lower the SdkAnalysisLevel to suppress errors temporarily.
Here's how it functions:
- For SDK Analysis Level value below 9.0.100, using HTTP sources triggers a warning (NU1803).
- Starting with SDK Analysis Level 9.0.100 or higher, HTTP sources result in an error (NU1302) unless
AllowInsecureConnectionsis explicitly enabled.
Warning
Changing SdkAnalysisLevel has other side-effects. Refer to the SdkAnalysisLevel for a summary of the full scope of .NET SDK features affected.
Scenario 2
You are using a NuGet source 'https://contoso/v3/index.json' that contains an 'HTTP' service index resource endpoint: 'http://contoso/v3-flatcontainer/contoso/index.json'. This is insecure and not recommended. To allow HTTP resources, you must explicitly set 'allowInsecureConnections' to true in your NuGet.Config file. For more information, visit https://aka.ms/nuget-https-everywhere.
Issue
A configured package source uses HTTPS, but one of its resources (indicated in the error message) uses HTTP.
NuGet requires that all sources and their resources use HTTPS.
If you want to continue using this source despite its HTTP resource, you must set the allowInsecureConnections flag to true in your NuGet.config file.
To learn more about package sources and resource endpoints, take a look at the NuGet Server API.
Option 1: Update the Source to Use HTTPS
Whenever possible, switch to a package source that provides only HTTPS resources. This is the recommended and most secure option.
Option 2: Allow Insecure Connections (If Necessary)
If you must use the source, explicitly allow insecure connections by adding the allowInsecureConnections flag in the NuGet.Config:
For information about managing the setting in Visual Studio, see NuGet Options in Visual Studio
<configuration>
<packageSources>
<add key="InsecureSource" value="https://contoso/v3/index.json" allowInsecureConnections="true" />
</packageSources>
</configuration>