Announcements icon indicating copy to clipboard operation
Announcements copied to clipboard

Published 20 hours ago verified publisher icon aspnet

[Breaking change]: Removed default HTTPS binding on Kestrel

Open Daniel-Genkin-MS-2 opened this issue 2 years ago • 0 comments

Description

The default HTTPS address and port have been removed from Kestrel in .NET 7 preview 6. This is step one in https://github.com/dotnet/aspnetcore/issues/42016 which will improve overall developer experience when dealing with HTTPS.

PR that makes the change: https://github.com/dotnet/aspnetcore/pull/42021

Version

.NET 7 preview 6

Version

Other (please put exact version in description textbox)

Previous behavior

Previously, if no values for the address and port were specified explicitly but a local development certificate was available, Kestrel would default to binding to both http://localhost:5000 and https://localhost:5001.

New behavior

Users must now manually bind to HTTPS and specify the address and port explicitly, either via the launchSettings.json file, the ASPNETCORE_URLS environment variable, --urls command line argument, urls host configuration key, or via the UseUrls extension method.

HTTP binding is unchanged.

Type of breaking change

  • [ ] Binary incompatible: Existing binaries may encounter a breaking change in behavior, such as failure to load/execute or different run-time behavior.
  • [ ] Source incompatible: Source code may encounter a breaking change in behavior when targeting the new runtime/component/SDK, such as compile errors or different run-time behavior.
  • [X] Behavioral change: Existing code and binaries may experience different run-time behavior.

Reason for change

This current eager binding behavior occurs without regard to the configured environment and can lead to experience issues on developer machines when the certificate has not yet been trusted (i.e. trusted as root cert authority because it's self-signed). Clients often produce poor UX when hitting an HTTPS endpoint with an untrusted certificate, e.g. silent failure, scary error/warning screen, etc.

Recommended action

If you were not using the default https://localhost:5001 binding, no changes are required. However, if you were using this binding, please make sure to review this guide on how you can update your server to enable HTTPS.

Affected APIs

N/A

Daniel-Genkin-MS-2 avatar Jun 07 '22 22:06 Daniel-Genkin-MS-2