Giters

aspnet / Announcements

Subscribe to this repo to be notified about major changes in ASP.NET Core and Entity Framework Core

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

[Breaking change]: Removed default HTTPS binding on Kestrel

Daniel-Genkin-MS-2 opened this issue · comments

commented

Description

The default HTTPS address and port have been removed from Kestrel in .NET 7 preview 6. This is step one in dotnet/aspnetcore#42016 which will improve overall developer experience when dealing with HTTPS.

PR that makes the change: dotnet/aspnetcore#42021

Version

.NET 7 preview 6

Version

Other (please put exact version in description textbox)

Previous behavior

Previously, if no values for the address and port were specified explicitly but a local development certificate was available, Kestrel would default to binding to both http://localhost:5000 and https://localhost:5001.

New behavior

Users must now manually bind to HTTPS and specify the address and port explicitly, either via the launchSettings.json file, the ASPNETCORE_URLS environment variable, --urls command line argument, urls host configuration key, or via the UseUrls extension method.

HTTP binding is unchanged.

Type of breaking change

  • Binary incompatible: Existing binaries may encounter a breaking change in behavior, such as failure to load/execute or different run-time behavior.
  • Source incompatible: Source code may encounter a breaking change in behavior when targeting the new runtime/component/SDK, such as compile errors or different run-time behavior.
  • Behavioral change: Existing code and binaries may experience different run-time behavior.

Reason for change

This current eager binding behavior occurs without regard to the configured environment and can lead to experience issues on developer machines when the certificate has not yet been trusted (i.e. trusted as root cert authority because it's self-signed). Clients often produce poor UX when hitting an HTTPS endpoint with an untrusted certificate, e.g. silent failure, scary error/warning screen, etc.

Recommended action

If you were not using the default https://localhost:5001 binding, no changes are required. However, if you were using this binding, please make sure to review this guide on how you can update your server to enable HTTPS.

Affected APIs

N/A