App Transport Security ATS
suggest changeParameters
Parameter | Details |
——— | —–– |NSAppTransportSecurity
| Configure ATS |NSAllowsArbitraryLoads
| Set to YES
to disable ATS everywhere. In iOS 10 and later, and macOS 10.12 and later, the value of this key is ignored if any of the following keys are present in your app’s Info.plist file: NSAllowsArbitraryLoadsInMedia, NSAllowsArbitraryLoadsInWebContent, NSAllowsLocalNetworking |NSAllowsArbitraryLoadsInMedia
| Set to YES
to disable ATS for media loaded using APIs from the AV Foundation framework. (iOS 10+, macOS 10.12+) |NSAllowsArbitraryLoadsInWebContent
| Set to YES
to disable ATS in your app’s web views (WKWebView
, UIWebView
, WebView
) without affecting your NSURLSession connections. (iOS 10+, macOS 10.12+) |NSAllowsLocalNetworking
| Set to YES
to disable for connections to unqualified domains and to .local domains. (iOS 10+, macOS 10.12+) |NSExceptionDomains
| Configure exceptions for specific domains |NSIncludesSubdomains
| Set to YES
to apply the exceptions to all subdomains of the selected domain. |NSRequiresCertificateTransparency
| Set to YES
to require that valid, signed Certificate Transparency (CT) timestamps, from known CT logs, be presented for server (X.509) certificates on a domain. (iOS 10+, macOS 10.12+) |NSExceptionAllowsInsecureHTTPLoads
| Set to YES
to allow HTTP on the selected domain. |NSExceptionRequiresForwardSecrecy
| Defaults to YES
; Set to NO
to disable Forward Secrecy and accept more ciphers. |NSExceptionMinimumTLSVersion
| Defaults to TLSv1.2
; Possible values are: TLSv1.0
, TLSv1.1
, TLSv1.2
|NSThirdPartyExceptionAllowsInsecureHTTPLoads
| Similar to NSExceptionAllowsInsecureHTTPLoads
, but for domains that you have no control over|NSThirdPartyExceptionRequiresForwardSecrecy
| Similar to NSExceptionRequiresForwardSecrecy
, but for domains that you have no control over|NSThirdPartyExceptionMinimumTLSVersion
| Similar to NSExceptionMinimumTLSVersion
, but for domains that you have no control over|
Remarks
The App Transport Security is a security feature in iOS and macOS. It prevents apps from establishing unsecured connections. By default, apps can only use secure HTTPS connections.
If an app needs to connect to a server via HTTP, exceptions must be defined in the Info.plist
. (see the examples for more information about that)
Note: In 2017, Apple will enforce ATS. That means, that you can no longer upload apps that have ATS-exceptions defined in the Info.plist
. If you can provide good arguments, why you have to use HTTP, you can contact Apple and they might allow you to define exceptions. (Source: WWDC 2016 - Session 706)
More information on the App Transport Security configuration can be found in the CocoaKeys Documentation.