Parameter | Details |
---|---|
NSAppTransportSecurity | Configure ATS |
NSAllowsArbitraryLoads | Set to YES to disable ATS everywhere. In iOS 10 and later, and macOS 10.12 and later, the value of this key is ignored if any of the following keys are present in your app’s Info.plist file: NSAllowsArbitraryLoadsInMedia, NSAllowsArbitraryLoadsInWebContent, NSAllowsLocalNetworking |
NSAllowsArbitraryLoadsInMedia | Set to YES to disable ATS for media loaded using APIs from the AV Foundation framework. (iOS 10+, macOS 10.12+) |
NSAllowsArbitraryLoadsInWebContent | Set to YES to disable ATS in your app’s web views (WKWebView , UIWebView , WebView ) without affecting your NSURLSession connections. (iOS 10+, macOS 10.12+) |
NSAllowsLocalNetworking | Set to YES to disable for connections to unqualified domains and to .local domains. (iOS 10+, macOS 10.12+) |
NSExceptionDomains | Configure exceptions for specific domains |
NSIncludesSubdomains | Set to YES to apply the exceptions to all subdomains of the selected domain. |
NSRequiresCertificateTransparency | Set to YES to require that valid, signed Certificate Transparency (CT) timestamps, from known CT logs, be presented for server (X.509) certificates on a domain. (iOS 10+, macOS 10.12+) |
NSExceptionAllowsInsecureHTTPLoads | Set to YES to allow HTTP on the selected domain. |
NSExceptionRequiresForwardSecrecy | Defaults to YES ; Set to NO to disable Forward Secrecy and accept more ciphers. |
NSExceptionMinimumTLSVersion | Defaults to TLSv1.2 ; Possible values are: TLSv1.0 , TLSv1.1 , TLSv1.2 |
NSThirdPartyExceptionAllowsInsecureHTTPLoads | Similar to NSExceptionAllowsInsecureHTTPLoads , but for domains that you have no control over |
NSThirdPartyExceptionRequiresForwardSecrecy | Similar to NSExceptionRequiresForwardSecrecy , but for domains that you have no control over |
NSThirdPartyExceptionMinimumTLSVersion | Similar to NSExceptionMinimumTLSVersion , but for domains that you have no control over |
The App Transport Security is a security feature in iOS and macOS. It prevents apps from establishing unsecured connections. By default, apps can only use secure HTTPS connections.
If an app needs to connect to a server via HTTP, exceptions must be defined in the Info.plist
. (see the examples for more information about that)
Note: In 2017, Apple will enforce ATS. That means, that you can no longer upload apps that have ATS-exceptions defined in the Info.plist
. If you can provide good arguments, why you have to use HTTP, you can contact Apple and they might allow you to define exceptions. (Source: WWDC 2016 - Session 706)
More information on the App Transport Security configuration can be found in the CocoaKeys Documentation.