HTTPS is enabled by default
The default value of the UseHttps configuration in Global Settings has been changed from false to true.
If you need to run Umbraco without HTTPS, make sure to update appsettings.json accordingly.
Authentication for the backoffice client
Following the draft Request for Comments (RFC) from the Internet Engineering Task Force (IETF), the backoffice client authentication has been changed to tighten security.
This change affects only the backoffice client authentication against the Management API. API user authentication against the Management API remains unaffected, as does the Delivery API.
This change might affect custom backoffice extensions that interact with the Management API. All fetch requests to the Management API must include credentials by declaring credentials: 'include'.
By default, backoffice extensions built using the HQ package starter template are not affected.
For more details on this update, see the following PRs: #20779 and #20820.