How do I prevent nuget:NU1302 in CI?

Enforce HTTPS-only feeds via policy and config review. Audit `NuGet.Config` changes in CI.

How can I manually validate nuget:NU1302?

Re-run the failing command and confirm the original code/message is gone. Confirm expected artifacts or outputs exist (packages restored, build/publish succeeds).

NU1302: Insecure HTTP service index endpoint detected

Where the Request Failed

NuGet blocked the configured feed because its service index or advertised resources use insecure HTTP instead of HTTPS by default.

NuGet is telling you the request failed before it got a clean response back. Treat the connection path and the failing environment as the first suspects, not the package or image name.

Restore connectivity to the package source

Switch the feed URL to HTTPS (recommended).

If you must use HTTP, set allowInsecureConnections=true for that source in NuGet.Config and document the risk.

Retry restore:dotnet restore

Validation

Re-run the failing command and confirm the original code/message is gone, and confirm expected artifacts or outputs exist (packages restored, build/publish succeeds).

Why It Happens

Usually this comes down to source URL is http:// instead of https://, a proxy or rewrite causes the service index to advertise HTTP endpoints, or legacy NuGet.Config still contains HTTP feeds.

Prove the Failing Environment Can Reach It

dotnet restore completes without NU1302.

Verbose logs show HTTPS endpoints, or explicit allowInsecureConnections for the source.

Mechanism

This is the part worth understanding if the quick fix did not hold. It explains what NuGet is trying to do at the moment the error appears.

NuGet treats HTTP endpoints as insecure by default.

If a source’s service index (or its resources) is HTTP, NuGet raises NU1302 unless allowInsecureConnections=true.

Examples

error NU1302: You are using a NuGet source 'MyFeed' that contains an 'HTTP' service index resource endpoint: 'http://example/v3/index.json'.

Prevent Repeat Connectivity Failures

To prevent this, enforce HTTPS-only feeds via policy and config review, and audit NuGet.Config changes in CI.

Docs and source code

NuGet.Protocol insecure HTTP message

Message instructs allowInsecureConnections or HTTPS migration. - GitHub

  <data name="Error_Insecure_HTTP" xml:space="preserve">
    <value>You are using a NuGet source '{0}' that contains an 'HTTP' service index resource endpoint: '{1}'. This is insecure and not recommended. To allow HTTP resources, you must explicitly set 'allowInsecureConnections' to true in your NuGet.Config file. For more information, visit https://aka.ms/nuget-https-everywhere.</value>
    <comment>0 - NuGet Package source url
1- resource endpoint url</comment>
  </data>
  <data name="Error_Invalid_package_id" xml:space="preserve">