don't expose a localhost https endpoint when there is no developer certificate · Issue #32361 · dotnet/aspnetcore (original) (raw)
By default kestrel exposes an HTTPS endpoint for localhost using a development certificate.
On Linux, the dotnet dev-certs https --trust doesn't work well leading to a bricked development experience.
It would be nice if there was a global way to opt-out of the HTTPS localhost bind.
One option may be to not bind localhost HTTPS when there is no development certificate.
I think the reason for having the HTTPS endpoint is to be secure by default, though not having it on localhost does not make things insecure by default.