What does nuget:NU1302 mean?

NuGet blocked the configured feed because its service index or advertised resources use insecure HTTP instead of HTTPS by default.

How do I prevent nuget:NU1302 in CI?

Enforce HTTPS-only feeds via policy and config review. Audit `NuGet.Config` changes in CI.

How can I manually validate nuget:NU1302?

Re-run the failing command and confirm the original code/message is gone. Confirm expected artifacts or outputs exist (packages restored, build/publish succeeds).

NU1302: Insecure HTTP service index endpoint detected

Fix it fast

Most likely: A configured NuGet source, or one of the resources advertised by its service index, is using http:// instead of https://.

1. Confirm this is your error

error NU1302: You are using a NuGet source 'MyFeed' that contains an 'HTTP' service index resource endpoint: 'http://example/v3/index.json'.

2. Check the cause

dotnet nuget list source
grep -R -n "http://\|allowInsecureConnections" NuGet.Config .
dotnet restore -v normal

3. Apply the safe fix

# Preferred fix: switch the feed to HTTPS.
dotnet nuget update source <source-name> --source https://<host>/v3/index.json

# Only for a trusted internal feed where HTTPS is impossible, set allowInsecureConnections explicitly in NuGet.Config.

4. Verify it works

dotnet nuget list source
dotnet restore

Don't use unsafe shortcuts

Do not enable insecure HTTP for public internet feeds.
Do not hide this in machine-level config when the repo needs a clear NuGet.Config policy.
Do not treat NU1302 as a transient network error, it is a feed security configuration problem.

Where the Request Failed

NuGet is telling you the request failed before it got a clean response back. Treat the connection path and the failing environment as the first suspects, not the package or image name.

Restore connectivity to the package source

Switch the feed URL to HTTPS (recommended).

If you must use HTTP, set allowInsecureConnections=true for that source in NuGet.Config and document the risk.

Retry restore:dotnet restore

Validation

Re-run the failing command and confirm the original code/message is gone, and confirm expected artifacts or outputs exist (packages restored, build/publish succeeds).

Why It Happens

Usually this comes down to source URL is http:// instead of https://, a proxy or rewrite causes the service index to advertise HTTP endpoints, or legacy NuGet.Config still contains HTTP feeds.

Prove the Failing Environment Can Reach It

dotnet restore completes without NU1302.

Verbose logs show HTTPS endpoints, or explicit allowInsecureConnections for the source.

Mechanism

This is the part worth understanding if the quick fix did not hold. It explains what NuGet is trying to do at the moment the error appears.

NuGet treats HTTP endpoints as insecure by default.

If a source’s service index (or its resources) is HTTP, NuGet raises NU1302 unless allowInsecureConnections=true.

Prevent Repeat Connectivity Failures

To prevent this, enforce HTTPS-only feeds via policy and config review, and audit NuGet.Config changes in CI.

Docs and source code

NuGet.Protocol insecure HTTP message

Message instructs allowInsecureConnections or HTTPS migration. - GitHub

  <data name="Error_Insecure_HTTP" xml:space="preserve">
    <value>You are using a NuGet source '{0}' that contains an 'HTTP' service index resource endpoint: '{1}'. This is insecure and not recommended. To allow HTTP resources, you must explicitly set 'allowInsecureConnections' to true in your NuGet.Config file. For more information, visit https://aka.ms/nuget-https-everywhere.</value>
    <comment>0 - NuGet Package source url
1- resource endpoint url</comment>
  </data>
  <data name="Error_Invalid_package_id" xml:space="preserve">