Using a Task Management Tool. As you might expect, a good task manager is able to display which open process is accessing the hard drive and by how much in addition to CPU and memory usage etc. There are many such tools around that can do this, including Process Explorer, Process Hacker, System Explorer, and others. Jan 21, 2017 With the release of automate-eGPU.sh v1.0.0 script last week, eGPU for macOS has become a much easier process for all Macs with Thunderbolt connectivity. The next big hurdle was to get the external graphics card to accelerate the internal display in macOS. One of our forum members, enjoy, showed a clever way to accelerate his MacBook Pro‘s internal display with an eGPU in Windows.
Network administrators can use this information to make sure that Mac computers and other Apple devices can connect to services such as the App Store and Apple's software-update servers.
Ports used by Apple products
This is a quick-reference guide showing common examples, not a comprehensive list of ports. This guide is updated periodically with information available at the time of publication.
Some software might use different ports and services, so it can be helpful to use port-watching software when deciding how to set up firewalls or similar access-control schemes.
Some services might use more than one of these ports. For example, a VPN service can use up to four different ports. When you find a product in this list, search (Command-F) in your browser for that name, then repeat your search (Command-G) to locate all occurrences of that product.
Some firewalls allow selective configuration of UDP or TCP ports with the same number, so it's important to know the type of port you're configuring. For example, NFS can use TCP 2049, UDP 2049 or both. If your firewall doesn't allow you to specify the type of port, configuring one type of port probably configures the other.
Port | TCP or UDP | Service or protocol name1 | RFC2 | Service name3 | Used by |
---|---|---|---|---|---|
7 | TCP/UDP | echo | 792 | echo | -- |
20 | TCP | File Transport Protocol (FTP) | 959 | ftp-data | -- |
21 | TCP | FTP control | 959 | ftp | -- |
22 | TCP | Secure Shell (SSH), SSH File Transfer Protocol (SFTP), and Secure copy (scp) | 4253 | ssh | Xcode Server (hosted and remote Git+SSH; remote SVN+SSH) |
23 | TCP | Telnet | 854 | telnet | -- |
25 | TCP | Simple Mail Transfer Protocol (SMTP) | 5321 | smtp | Mail (sending email); iCloud Mail (sending email) |
53 | TCP/UDP | Domain Name System (DNS) | 1034 | domain | -- |
67 | UDP | Bootstrap Protocol Server (BootP, bootps) | 951 | bootps | NetBoot via DHCP |
68 | UDP | Bootstrap Protocol Client (bootpc) | 951 | bootpc | NetBoot via DHCP |
69 | UDP | Trivial File Transfer Protocol (TFTP) | 1350 | tftp | -- |
79 | TCP | Finger | 1288 | finger | -- |
80 | TCP | Hypertext Transfer Protocol (HTTP) | 2616 | http | World Wide Web, FaceTime, iMessage, iCloud, QuickTime Installer, Maps, iTunes U, Apple Music, iTunes Store, Podcasts, Internet Radio, Software Update (OS X Lion or earlier), Mac App Store, RAID Admin, Backup, Calendar, WebDAV, Final Cut Server, AirPlay, macOS Internet Recovery, Profile Manager, Xcode Server (Xcode app, hosted and remote Git HTTP, remote SVN HTTP) |
88 | TCP | Kerberos | 4120 | kerberos | Kerberos, including Screen Sharing authentication |
106 | TCP | Password Server (unregistered use) | -- | 3com-tsmux | macOS Server Password Server |
110 | TCP | Post Office Protocol (POP3), Authenticated Post Office Protocol (APOP) | 1939 | pop3 | Mail (receiving email) |
111 | TCP/UDP | Remote Procedure Call (RPC) | 1057, 1831 | sunrpc | Portmap (sunrpc) |
113 | TCP | Identification Protocol | 1413 | ident | -- |
119 | TCP | Network News Transfer Protocol (NNTP) | 3977 | nntp | Apps that read newsgroups. |
123 | UDP | Network Time Protocol (NTP) | 1305 | ntp | Date & Time preferences, network time server synchronisation, Apple TV network time server sync |
137 | UDP | Windows Internet Naming Service (WINS) | -- | netbios-ns | -- |
138 | UDP | NETBIOS Datagram Service | -- | netbios-dgm | Windows Datagram Service, Windows Network Neighbourhood |
139 | TCP | Server Message Block (SMB) | -- | netbios-ssn | Microsoft Windows file and print services, such as Windows Sharing in macOS |
143 | TCP | Internet Message Access Protocol (IMAP) | 3501 | imap | Mail (receiving email) |
161 | UDP | Simple Network Management Protocol (SNMP) | 1157 | snmp | -- |
192 | UDP | OSU Network Monitoring System | -- | osu-nms | AirPort Base Station PPP status or discovery (certain configurations), AirPort Admin Utility, AirPort Express Assistant |
311 | TCP | Secure server administration | -- | asip-webadmin | Server app, Server Admin, Workgroup Manager, Server Monitor, Xsan Admin |
312 | TCP | Xsan administration | -- | vslmp | Xsan Admin (OS X Mountain Lion v10.8 and later) |
389 | TCP | Lightweight Directory Access Protocol (LDAP) | 4511 | ldap | Apps that look up addresses, such as Mail and Address Book |
427 | TCP/UDP | Service Location Protocol (SLP) | 2608 | svrloc | Network Browser |
443 | TCP | Secure Sockets Layer (SSL or HTTPS) | 2818 | https | TLS websites, iTunes Store, Software Update (OS X Mountain Lion and later), Spotlight Suggestions, Mac App Store, Maps, FaceTime, Game Center, iCloud authentication and DAV Services (Contacts, Calendars, Bookmarks), iCloud backup and apps (Calendars, Contacts, Find My iPhone, Find My Friends, Mail, iMessage, Documents & Photo Stream), iCloud Key Value Store (KVS), iPhoto Journals, AirPlay, macOS Internet Recovery, Profile Manager, Dictation, Siri, Xcode Server (hosted and remote Git HTTPS, remote SVN HTTPS, Apple Developer registration), Push notifications (if necessary) |
445 | TCP | Microsoft SMB Domain Server | -- | microsoft-ds | -- |
464 | TCP/UDP | kpasswd | 3244 | kpasswd | -- |
465 | TCP | Message Submission for Mail (Authenticated SMTP) | smtp (legacy) | Mail (sending mail) | |
500 | UDP | ISAKMP/IKE | 2408 | isakmp | macOS Server VPN service |
500 | UDP | Wi-Fi Calling | 5996 | IKEv2 | Wi-Fi Calling |
514 | TCP | shell | -- | shell | -- |
514 | UDP | Syslog | -- | syslog | -- |
515 | TCP | Line Printer (LPR), Line Printer Daemon (LPD) | -- | printer | Printing to a network printer, Printer Sharing in macOS |
532 | TCP | netnews | -- | netnews | -- |
548 | TCP | Apple Filing Protocol (AFP) over TCP | -- | afpovertcp | AppleShare, Personal File Sharing, Apple File Service |
554 | TCP/UDP | Real Time Streaming Protocol (RTSP) | 2326 | rtsp | AirPlay, QuickTime Streaming Server (QTSS), streaming media players |
587 | TCP | Message Submission for Mail (Authenticated SMTP) | 4409 | submission | Mail (sending mail), iCloud Mail (SMTP authentication) |
600–1023 | TCP/UDP | Mac OS X RPC-based services | -- | ipcserver | NetInfo |
623 | UDP | Lights-Out-Monitoring | -- | asf-rmcp | Lights Out Monitoring (LOM) feature of Intel-based Xserve computers, Server Monitor |
625 | TCP | Open Directory Proxy (ODProxy) (unregistered use) | -- | dec_dlm | Open Directory, Server app, Workgroup Manager; Directory Services in OS X Lion or earlier This port is registered to DEC DLM |
626 | TCP | AppleShare Imap Admin (ASIA) | -- | asia | IMAP administration (Mac OS X Server v10.2.8 or earlier) |
626 | UDP | serialnumberd (unregistered use) | -- | asia | Server serial number registration (Xsan, Mac OS X Server v10.3 – v10.6) |
631 | TCP | Internet Printing Protocol (IPP) | 2910 | ipp | macOS Printer Sharing, printing to many common printers |
636 | TCP | Secure LDAP | -- | ldaps | -- |
660 | TCP | Server administration | -- | mac-srvr-admin | Server administration tools for Mac OS X Server v10.4 or earlier, including AppleShare IP |
687 | TCP | Server administration | -- | asipregistry | Server administration tools for Mac OS X Server v10.6 or earlier, including AppleShare IP |
749 | TCP/UDP | Kerberos 5 admin/changepw | -- | kerberos-adm | -- |
985 | TCP | NetInfo Static Port | -- | -- | -- |
993 | TCP | Mail IMAP SSL | -- | imaps | iCloud Mail (SSL IMAP) |
995 | TCP/UDP | Mail POP SSL | -- | pop3s | -- |
1085 | TCP/UDP | WebObjects | -- | webobjects | -- |
1099, 8043 | TCP | Remote RMI and IIOP Access to JBOSS | -- | rmiregistry | -- |
1220 | TCP | QT Server Admin | -- | qt-serveradmin | Administration of QuickTime Streaming Server |
1640 | TCP | Certificate Enrolment Server | -- | cert-responder | Profile Manager in macOS Server 5.2 and earlier |
1649 | TCP | IP Failover | -- | kermit | -- |
1701 | UDP | L2TP | -- | l2f | macOS Server VPN service |
1723 | TCP | PPTP | -- | pptp | macOS Server VPN service |
1900 | UDP | SSDP | -- | ssdp | Bonjour |
2049 | TCP/UDP | Network File System (NFS) (version 3 and 4) | 3530 | nfsd | -- |
2195 | TCP | Apple Push Notification Service (APNS) | -- | -- | Push notifications |
2196 | TCP | Apple Push Notification Service (APNS) | -- | — | Feedback service |
2197 | TCP | Apple Push Notification Service (APNS) | -- | -- | Push notifications |
2336 | TCP | Mobile account sync | -- | appleugcontrol | Home directory synchronisation |
3004 | TCP | iSync | -- | csoftragent | -- |
3031 | TCP/UDP | Remote AppleEvents | -- | eppc | Program Linking, Remote Apple Events |
3283 | TCP/UDP | Net Assistant | -- | net-assistant | Apple Remote Desktop 2.0 or later (Reporting feature), Classroom app (command channel) |
3284 | TCP/UDP | Net Assistant | -- | net-assistant | Classroom app (document sharing) |
3306 | TCP | MySQL | -- | mysql | -- |
3478–3497 | UDP | -- | -- | nat-stun-port - ipether232port | FaceTime, Game Center |
3632 | TCP | Distributed compiler | -- | distcc | -- |
3659 | TCP/UDP | Simple Authentication and Security Layer (SASL) | -- | apple-sasl | macOS Server Password Server |
3689 | TCP | Digital Audio Access Protocol (DAAP) | -- | daap | iTunes Music Sharing, AirPlay |
3690 | TCP/UDP | Subversion | -- | svn | Xcode Server (anonymous remote SVN) |
4111 | TCP | XGrid | -- | xgrid | -- |
4398 | UDP | -- | -- | -- | Game Center |
4488 | TCP | Apple Wide Area Connectivity Service | awacs-ice | ||
4500 | UDP | IPsec NAT Traversal | 4306 | ipsec-msft | macOS Server VPN service |
4500 | UDP | Wi-Fi Calling | 5996 | IKEv2 | Wi-Fi Calling |
5003 | TCP | FileMaker - name binding and transport | -- | fmpro-internal | -- |
5009 | TCP | (unregistered use) | -- | winfs | AirPort Utility, AirPort Express Assistant |
5100 | TCP | -- | -- | socalia | macOS camera and scanner sharing |
5222 | TCP | XMPP (Jabber) | 3920 | jabber-client | Jabber messages |
5223 | TCP | Apple Push Notification Service (APNS) | -- | -- | iCloud DAV Services (Contacts, Calendars, Bookmarks), Push Notifications, FaceTime, iMessage, Game Center, Photo Stream |
5228 | TCP | -- | -- | -- | Spotlight Suggestions, Siri |
5297 | TCP | -- | -- | -- | Messages (local traffic) |
5350 | UDP | NAT Port Mapping Protocol Announcements | -- | -- | Bonjour |
5351 | UDP | NAT Port Mapping Protocol | -- | nat-pmp | Bonjour |
5353 | UDP | Multicast DNS (MDNS) | 3927 | mdns | Bonjour, AirPlay, Home Sharing, Printer Discovery |
5432 | TCP | PostgreSQL | -- | postgresql | Can be enabled manually in OS X Lion Server (previously enabled by default for ARD 2.0 Database) |
5897–5898 | UDP | (unregistered use) | -- | -- | xrdiags |
5900 | TCP | Virtual Network Computing (VNC) (unregistered use) | -- | vnc-server | Apple Remote Desktop 2.0 or later (Observe/Control feature) Screen Sharing (Mac OS X 10.5 or later) |
5988 | TCP | WBEM HTTP | -- | wbem-http | Apple Remote Desktop 2.x See also dmtf.org/standards/wbem. |
6970–9999 | UDP | -- | -- | -- | QuickTime Streaming Server |
7070 | TCP | RTSP (unregistered use), Automatic Router Configuration Protocol (ARCP) | -- | arcp | QuickTime Streaming Server (RTSP) |
7070 | UDP | RTSP alternate | -- | arcp | QuickTime Streaming Server |
8000–8999 | TCP | -- | -- | irdmi | Web service, iTunes Radio streams |
8005 | TCP | Tomcat remote shutdown | -- | -- | -- |
8008 | TCP | iCal service | -- | http-alt | Mac OS X Server v10.5 or later |
8080 | TCP | Alternate port for Apache web service | -- | http-alt | Also JBOSS HTTP in Mac OS X Server 10.4 or earlier |
8085–8087 | TCP | Wiki service | -- | -- | Mac OS X Server v10.5 or later |
8088 | TCP | Software Update service | -- | radan-http | Mac OS X Server v10.4 or later |
8089 | TCP | Web email rules | -- | -- | Mac OS X Server v10.6 or later |
8096 | TCP | Web Password Reset | -- | -- | Mac OS X Server v10.6.3 or later |
8170 | TCP | HTTPS (web service/site) | -- | -- | Podcast Capture/podcast CLI |
8171 | TCP | HTTP (web service/site) | -- | -- | Podcast Capture/podcast CLI |
8175 | TCP | Pcast Tunnel | -- | -- | pcastagentd (such as for control operations and camera) |
8443 | TCP | iCal service (SSL) | -- | pcsync-https | Mac OS X Server v10.5 or later (JBOSS HTTPS in Mac OS X Server 10.4 or earlier) |
8800 | TCP | Address Book service | -- | sunwebadmin | Mac OS X Server v10.6 or later |
8843 | TCP | Address Book service (SSL) | -- | -- | Mac OS X Server v10.6 or later |
8821, 8826 | TCP | Stored | -- | -- | Final Cut Server |
8891 | TCP | ldsd | -- | -- | Final Cut Server (data transfers) |
9006 | TCP | Tomcat standalone | -- | -- | Mac OS X Server v10.6 or earlier |
9100 | TCP | Printing | -- | -- | Printing to certain network printers |
9418 | TCP/UDP | git pack transfer | -- | git | Xcode Server (remote git) |
10548 | TCP | Apple Document Sharing Service | -- | serverdocs | macOS Server iOS file sharing |
11211 | -- | memcached (unregistered use) | -- | -- | Calendar Server |
16080 | TCP | -- | -- | -- | Web service with performance cache |
16384–16403 | UDP | Real-Time Transport Protocol (RTP), Real-Time Control Protocol (RTCP) | -- | connected, -- | Messages (Audio RTP, RTCP; Video RTP, RTCP) |
16384–16387 | UDP | Real-Time Transport Protocol (RTP), Real-Time Control Protocol (RTCP) | -- | connected, -- | FaceTime, Game Center |
16393–16402 | UDP | Real-Time Transport Protocol (RTP), Real-Time Control Protocol (RTCP) | -- | -- | FaceTime, Game Center |
16403–16472 | UDP | Real-Time Transport Protocol (RTP), Real-Time Control Protocol (RTCP) | -- | -- | Game Center |
24000–24999 | TCP | -- | -- | med-ltp | Web service with performance cache |
42000–42999 | TCP | -- | -- | -- | iTunes Radio streams |
49152–65535 | TCP | Xsan | -- | -- | Xsan Filesystem Access |
49152– 65535 | UDP | -- | -- | -- | |
50003 | -- | FileMaker server service | -- | -- | -- |
50006 | -- | FileMaker helper service | -- | -- | -- |
1. The service registered with the Internet Assigned Numbers Authority, except where noted as “unregistered use”.
2. The number of a Request for Comment (RFC) document that defines the service or protocol. RFC documents are maintained by RFC Editor.
3. In the output of Terminal commands, the port number might be replaced by this Service Name, which is the label listed in /etc/services.
FaceTime is not available in all countries or regions.
Learn more
The application firewall in macOS is not a port-based firewall. It controls access by app, instead of by port.
-->By Rick Anderson
This document shows how to:
- Require HTTPS for all requests.
- Redirect all HTTP requests to HTTPS.
No API can prevent a client from sending sensitive data on the first request.
Warning
API projects
Do not use RequireHttpsAttribute on Web APIs that receive sensitive information.
RequireHttpsAttribute
uses HTTP status codes to redirect browsers from HTTP to HTTPS. API clients may not understand or obey redirects from HTTP to HTTPS. Such clients may send information over HTTP. Web APIs should either:- Not listen on HTTP.
- Close the connection with status code 400 (Bad Request) and not serve the request.
HSTS and API projects
The default API projects don't include HSTS because HSTS is generally a browser only instruction. Other callers, such as phone or desktop apps, do not obey the instruction. Even within browsers, a single authenticated call to an API over HTTP has risks on insecure networks. The secure approach is to configure API projects to only listen to and respond over HTTPS.
Warning
API projects
Do not use RequireHttpsAttribute on Web APIs that receive sensitive information.
RequireHttpsAttribute
uses HTTP status codes to redirect browsers from HTTP to HTTPS. API clients may not understand or obey redirects from HTTP to HTTPS. Such clients may send information over HTTP. Web APIs should either:- Not listen on HTTP.
- Close the connection with status code 400 (Bad Request) and not serve the request.
Require HTTPS
We recommend that production ASP.NET Core web apps use:
- HTTPS Redirection Middleware (UseHttpsRedirection) to redirect HTTP requests to HTTPS.
- HSTS Middleware (UseHsts) to send HTTP Strict Transport Security Protocol (HSTS) headers to clients.
Note
Apps deployed in a reverse proxy configuration allow the proxy to handle connection security (HTTPS). If the proxy also handles HTTPS redirection, there's no need to use HTTPS Redirection Middleware. If the proxy server also handles writing HSTS headers (for example, native HSTS support in IIS 10.0 (1709) or later), HSTS Middleware isn't required by the app. For more information, see Opt-out of HTTPS/HSTS on project creation.
UseHttpsRedirection
The following code calls
UseHttpsRedirection
in the Startup
class:The preceding highlighted code:
- Uses the default HttpsRedirectionOptions.RedirectStatusCode (Status307TemporaryRedirect).
- Uses the default HttpsRedirectionOptions.HttpsPort (null) unless overridden by the
ASPNETCORE_HTTPS_PORT
environment variable or IServerAddressesFeature.
We recommend using temporary redirects rather than permanent redirects. Link caching can cause unstable behavior in development environments. If you prefer to send a permanent redirect status code when the app is in a non-Development environment, see the Configure permanent redirects in production section. We recommend using HSTS to signal to clients that only secure resource requests should be sent to the app (only in production).
Port configuration
A port must be available for the middleware to redirect an insecure request to HTTPS. If no port is available:
- Redirection to HTTPS doesn't occur.
- The middleware logs the warning 'Failed to determine the https port for redirect.'
Specify the HTTPS port using any of the following approaches:
- Set HttpsRedirectionOptions.HttpsPort.
- Set the
https_port
host setting:- In host configuration.
- By setting the
ASPNETCORE_HTTPS_PORT
environment variable. - By adding a top-level entry in appsettings.json:
- Indicate a port with the secure scheme using the ASPNETCORE_URLS environment variable. The environment variable configures the server. The middleware indirectly discovers the HTTPS port via IServerAddressesFeature. This approach doesn't work in reverse proxy deployments.
- Set the
https_port
host setting:- In host configuration.
- By setting the
ASPNETCORE_HTTPS_PORT
environment variable. - By adding a top-level entry in appsettings.json:
- Indicate a port with the secure scheme using the ASPNETCORE_URLS environment variable. The environment variable configures the server. The middleware indirectly discovers the HTTPS port via IServerAddressesFeature. This approach doesn't work in reverse proxy deployments.
- In development, set an HTTPS URL in launchsettings.json. Enable HTTPS when IIS Express is used.
- Configure an HTTPS URL endpoint for a public-facing edge deployment of Kestrel server or HTTP.sys server. Only one HTTPS port is used by the app. The middleware discovers the port via IServerAddressesFeature.
Note
When an app is run in a reverse proxy configuration, IServerAddressesFeature isn't available. Set the port using one of the other approaches described in this section.
Edge deployments
When Kestrel or HTTP.sys is used as a public-facing edge server, Kestrel or HTTP.sys must be configured to listen on both:
- The secure port where the client is redirected (typically, 443 in production and 5001 in development).
- The insecure port (typically, 80 in production and 5000 in development).
The insecure port must be accessible by the client in order for the app to receive an insecure request and redirect the client to the secure port.
For more information, see Kestrel endpoint configuration or HTTP.sys web server implementation in ASP.NET Core.
Deployment scenarios
Any firewall between the client and server must also have communication ports open for traffic.
If requests are forwarded in a reverse proxy configuration, use Forwarded Headers Middleware before calling HTTPS Redirection Middleware. Forwarded Headers Middleware updates the
Request.Scheme
, using the X-Forwarded-Proto
header. The middleware permits redirect URIs and other security policies to work correctly. When Forwarded Headers Middleware isn't used, the backend app might not receive the correct scheme and end up in a redirect loop. A common end user error message is that too many redirects have occurred.When deploying to Azure App Service, follow the guidance in Tutorial: Bind an existing custom SSL certificate to Azure Web Apps.
Options
The following highlighted code calls AddHttpsRedirection to configure middleware options:
Calling
AddHttpsRedirection
is only necessary to change the values of HttpsPort
or RedirectStatusCode
.The preceding highlighted code:
- Sets HttpsRedirectionOptions.RedirectStatusCode to Status307TemporaryRedirect, which is the default value. Use the fields of the StatusCodes class for assignments to
RedirectStatusCode
. - Sets the HTTPS port to 5001.
Configure permanent redirects in production
The middleware defaults to sending a Status307TemporaryRedirect with all redirects. If you prefer to send a permanent redirect status code when the app is in a non-Development environment, wrap the middleware options configuration in a conditional check for a non-Development environment.
When configuring services in Startup.cs:
HTTPS Redirection Middleware alternative approach
An alternative to using HTTPS Redirection Middleware (
UseHttpsRedirection
) is to use URL Rewriting Middleware (AddRedirectToHttps
). AddRedirectToHttps
can also set the status code and port when the redirect is executed. For more information, see URL Rewriting Middleware.When redirecting to HTTPS without the requirement for additional redirect rules, we recommend using HTTPS Redirection Middleware (
UseHttpsRedirection
) described in this topic.HTTP Strict Transport Security Protocol (HSTS)
Per OWASP, HTTP Strict Transport Security (HSTS) is an opt-in security enhancement that's specified by a web app through the use of a response header. When a browser that supports HSTS receives this header:
- The browser stores configuration for the domain that prevents sending any communication over HTTP. The browser forces all communication over HTTPS.
- The browser prevents the user from using untrusted or invalid certificates. The browser disables prompts that allow a user to temporarily trust such a certificate.
Because HSTS is enforced by the client, it has some limitations:
- The client must support HSTS.
- HSTS requires at least one successful HTTPS request to establish the HSTS policy.
- The application must check every HTTP request and redirect or reject the HTTP request.
ASP.NET Core 2.1 and later implements HSTS with the
UseHsts
extension method. The following code calls UseHsts
when the app isn't in development mode:UseHsts
isn't recommended in development because the HSTS settings are highly cacheable by browsers. By default, UseHsts
excludes the local loopback address.For production environments that are implementing HTTPS for the first time, set the initial HstsOptions.MaxAge to a small value using one of the TimeSpan methods. Set the value from hours to no more than a single day in case you need to revert the HTTPS infrastructure to HTTP. After you're confident in the sustainability of the HTTPS configuration, increase the HSTS
max-age
value; a commonly used value is one year.The following code:
- Sets the preload parameter of the
Strict-Transport-Security
header. Preload isn't part of the RFC HSTS specification, but is supported by web browsers to preload HSTS sites on fresh install. For more information, see https://hstspreload.org/. - Enables includeSubDomain, which applies the HSTS policy to Host subdomains.
- Explicitly sets the
max-age
parameter of theStrict-Transport-Security
header to 60 days. If not set, defaults to 30 days. For more information, see the max-age directive. - Adds
example.com
to the list of hosts to exclude.
UseHsts
excludes the following loopback hosts:localhost
: The IPv4 loopback address.127.0.0.1
: The IPv4 loopback address.[::1]
: The IPv6 loopback address.
Opt-out of HTTPS/HSTS on project creation
In some backend service scenarios where connection security is handled at the public-facing edge of the network, configuring connection security at each node isn't required. Web apps that are generated from the templates in Visual Studio or from the dotnet new command enable HTTPS redirection and HSTS. For deployments that don't require these scenarios, you can opt-out of HTTPS/HSTS when the app is created from the template.
To opt-out of HTTPS/HSTS:
Uncheck the Configure for HTTPS check box.
Use the
--no-https
option. For exampleTrust the ASP.NET Core HTTPS development certificate on Windows and macOS
The .NET Core SDK includes an HTTPS development certificate. The certificate is installed as part of the first-run experience. For example,
dotnet --info
produces a variation of the following output:Installing the .NET Core SDK installs the ASP.NET Core HTTPS development certificate to the local user certificate store. The certificate has been installed, but it's not trusted. To trust the certificate, perform the one-time step to run the dotnet
dev-certs
tool:The following command provides help on the
dev-certs
tool:How to set up a developer certificate for Docker
See this GitHub issue.
Trust HTTPS certificate from Windows Subsystem for Linux
The Windows Subsystem for Linux (WSL) generates an HTTPS self-signed cert. To configure the Windows certificate store to trust the WSL certificate:
- Run the following command to export the WSL-generated certificate:
- In a WSL window, run the following command:The preceding command sets the environment variables so Linux uses the Windows trusted certificate.
Troubleshoot certificate problems
This section provides help when the ASP.NET Core HTTPS development certificate has been installed and trusted, but you still have browser warnings that the certificate is not trusted. The ASP.NET Core HTTPS development certificate is used by Kestrel.
All platforms - certificate not trusted
Run the following commands:
Macos Determine App Using Port Address
Close any browser instances open. Open a new browser window to app. Certificate trust is cached by browsers.
The preceding commands solve most browser trust issues. If the browser is still not trusting the certificate, follow the platform-specific suggestions that follow.
Docker - certificate not trusted
- Delete the C:Users{USER}AppDataRoamingASP.NETHttps folder.
- Clean the solution. Delete the bin and obj folders.
- Restart the development tool. For example, Visual Studio, Visual Studio Code, or Visual Studio for Mac.
Windows - certificate not trusted
- Check the certificates in the certificate store. There should be a
localhost
certificate with theASP.NET Core HTTPS development certificate
friendly name both underCurrent User > Personal > Certificates
andCurrent User > Trusted root certification authorities > Certificates
- Remove all the found certificates from both Personal and Trusted root certification authorities. Do not remove the IIS Express localhost certificate.
- Run the following commands:
Close any browser instances open. Open a new browser window to app.
OS X - certificate not trusted
- Open KeyChain Access.
- Select the System keychain.
- Check for the presence of a localhost certificate.
- Check that it contains a
+
symbol on the icon to indicate it's trusted for all users. - Remove the certificate from the system keychain.
- Run the following commands:
Close any browser instances open. Open a new browser window to app.
Macos Determine App Using Port Number
See HTTPS Error using IIS Express (dotnet/AspNetCore #16892) for troubleshooting certificate issues with Visual Studio.
IIS Express SSL certificate used with Visual Studio
To fix problems with the IIS Express certificate, select Repair from the Visual Studio installer. For more information, see this GitHub issue.