[Breaking change]: Removed default HTTPS binding on Kestrel #486
Labels
7.0.0
Announcement
Breaking change
Documented
The breaking change has been published to the .NET Core docs
Description
The default HTTPS address and port have been removed from Kestrel in .NET 7 preview 6. This is step one in dotnet/aspnetcore#42016 which will improve overall developer experience when dealing with HTTPS.
PR that makes the change: dotnet/aspnetcore#42021
Version
.NET 7 preview 6
Version
Other (please put exact version in description textbox)
Previous behavior
Previously, if no values for the address and port were specified explicitly but a local development certificate was available, Kestrel would default to binding to both http://localhost:5000 and https://localhost:5001.
New behavior
Users must now manually bind to HTTPS and specify the address and port explicitly, either via the
launchSettings.json
file, theASPNETCORE_URLS
environment variable,--urls
command line argument,urls
host configuration key, or via theUseUrls
extension method.HTTP binding is unchanged.
Type of breaking change
Reason for change
This current eager binding behavior occurs without regard to the configured environment and can lead to experience issues on developer machines when the certificate has not yet been trusted (i.e. trusted as root cert authority because it's self-signed). Clients often produce poor UX when hitting an HTTPS endpoint with an untrusted certificate, e.g. silent failure, scary error/warning screen, etc.
Recommended action
If you were not using the default https://localhost:5001 binding, no changes are required. However, if you were using this binding, please make sure to review this guide on how you can update your server to enable HTTPS.
Affected APIs
N/A
The text was updated successfully, but these errors were encountered: