Transport security has blocked a cleartext HTTP

Question

What setting do I need to put in my info plist to enable HTTP mode as per the following error message      Transport security has blocked a cleartext HTTP  http     resource   load since it is insecure  Temporary exceptions can be configured via   your app s Info plist file      Assume that my domain is example com

User · Answer

It may be worth mentioning how to get there...

Info.plist is one of the files below the Main.storyboard or viewController.swift.

When you click on it the first time, it usually is in a table format, so right click the file and 'open as' Source code and then add the code below towards the end, i.e.:

 <key>NSAppTransportSecurity</key><dict><key>NSAllowsArbitraryLoads</key><true/></dict>

Copy paste the code just above

 "</dict>
</plist>"

which is at the end.

User · Answer

Development Example  Here is a screenshot of a plist which keeps ATS intact   secure   but allows that connections to localhost can be made via HTTP instead of HTTPS  It works in Xcode 7 1 1

User · Answer

Go to your Info plist   Right Click on empty space and Click on Add Row Write the Key Name as NSAppTransportSecurity  Under it  Select Exception Domains  Add a new item to this Write down your domain name that needs to get accessed Change the Domain type from String to Dictionary  add a new Item NSTemporaryExceptionAllowsInsecureHTTPLoads  that will be a boolean with a true value

User · Answer

This is a quick workaround  but not recommended  to add this in the plist    lt key gt NSAppTransportSecurity lt  key gt   lt dict gt       lt key gt NSAllowsArbitraryLoads lt  key gt       lt true  gt   lt  dict gt    Which means  according to Apple s documentation       NSAllowsArbitraryLoads    A Boolean value used to disable App Transport Security for any domains not listed in the NSExceptionDomains dictionary  Listed domains use the settings specified for that domain       The default value of NO requires the default App Transport Security behaviour for all connections    I really recommend links    Apple s technical note WWDC 2015 session 706  Security and Your Apps  starts around 1 50 WWDC 2015 session 711  Networking with NSURLSession  Blog post Shipping an App With App Transport Security   which help me understand reasons and all the implications   The XML  in file Info plist  below will    lt key gt NSAppTransportSecurity lt  key gt   lt dict gt       lt key gt NSAllowsArbitraryLoads lt  key gt       lt false  gt       lt key gt NSExceptionDomains lt  key gt       lt dict gt           lt key gt PAGE FOR WHICH SETTINGS YOU WANT TO OVERRIDE lt  key gt           lt dict gt               lt key gt NSExceptionAllowsInsecureHTTPLoads lt  key gt               lt true  gt           lt  dict gt       lt  dict gt   lt  dict gt    disallow arbitrary calls for all pages  but for PAGE FOR WHICH SETTINGS YOU WANT TO OVERRIDE will allow that connections use the HTTP protocol   To the XML above you can add    lt key gt NSIncludesSubdomains lt  key gt   lt true  gt    if you want to allow insecure connections for the subdomains of the specified address   The best approach is to block all arbitrary loads  set to false  and add exceptions to allow only addresses we know are fine   For interested readers  2018 Update   Apple is not recommending switching this off - more information can be found in 207 session WWDC 2018 with more things explained in regards to security  Leaving the original answer for historic reasons and development phase

User · Answer

For those who came here trying to find the reason why their WKWebView is always white and loads nothing  exactly as described here how do I get WKWebView to work in swift and for an macOS App     If all the rocket science above does not work for you check the obvious  the sandbox settings    Being new to swift and cocoa  but pretty experienced in programming I ve spend about 20 hours to find this solution  None of dozens hipster-iOS-tutorials nor apple keynotes     nothing mentions this small checkbox

User · Answer

Like many have noted  this is a feature issue that comes with iOS 9 0  They have added a thing called App Transport Security  and I too was annoyed when it broke my Apps   You can bandage it with the NSAllowsArbitraryLoads key to YES under NSAppTransportSecurity dictionary in your  plist file  but ultimately you will need to re-write the code that forms your URLs to form the HTTPS    prefix   Apple has re-written the NSUrlConnection class in iOS 9 0  You can read about it in NSURLConnection   Else  you may have to back out of iOS 9 0 until you have time to implement the correct solution

User · Answer

Use NSAppTransportSecurity     You have to set the NSAllowsArbitraryLoads key to YES under NSAppTransportSecurity dictionary in your info plist file

User · Answer

For those of you who want a more context on why this is happening  in addition to how to fix it  then read below   With the introduction of iOS 9  to improve the security of connections between an app and web services  secure connections between an app and its web service must follow best practices  The best practices behavior is enforced by the App Transport Security to    prevent accidental disclosure  and provide a default behavior that is secure    As explained in the App Transport Security Technote  when communicating with your web service  App Transport Security now has the following requirements and behavior         The server must support at least Transport Layer Security  TLS  protocol version 1 2    Connection ciphers are limited to those that provide forward secrecy  see the list of ciphers below     Certificates must be signed using a SHA256 or better signature hash algorithm  with either a 2048 bit or greater RSA key or a 256 bit or   greater Elliptic-Curve  ECC  key    Invalid certificates result in a hard failure and no connection       In other words  your web service request should  a   use HTTPS and b   be encrypted using TLS v1 2 with forward secrecy   However  as was mentioned in other posts  you can override this new behavior from App Transport Security by specifying the insecure domain in the Info plist of your app     To override  you will need to add the NSAppTransportSecurity   NSExceptionDomains dictionary properties to your Info plist  Next  you will add your web service s domain to the NSExceptionDomains dictionary   For example  if I want to bypass the App Transport Security behavior for a web service on the host www yourwebservicehost com then I would do the following    Open your app in Xcode  Find the Info plist file in Project Navigator and  right-mouse  click on it and choose the Open As   Source Code menu option  The property list file will appear in the right pane  Put the following properties block inside of the main properties dictionary  under the first  lt dict gt         lt key gt NSAppTransportSecurity lt  key gt   lt dict gt       lt key gt NSExceptionDomains lt  key gt       lt dict gt           lt key gt www example com lt  key gt           lt dict gt               lt key gt NSExceptionAllowsInsecureHTTPLoads lt  key gt               lt true  gt               lt key gt NSExceptionMinimumTLSVersion lt  key gt               lt string gt TLSv1 1 lt  string gt               lt key gt NSIncludesSubdomains lt  key gt               lt true  gt           lt  dict gt       lt  dict gt   lt  dict gt    If you need to provide exceptions for additional domains then you would add another dictionary property beneath NSExceptionDomains   To find out more about the keys referenced above  read this already mentioned technote

User · Answer

Set Allow Arbitrary Loads to NO     You must always use HTTPS for your networking stuff  But if you really can t  just add an exception to the info plist For example  if you are using http   google com and getting that error  You MUST change it to https   google com  with s  since it supports perfectly  But if you can t somehow   and you cant convince backend developers to support SSL   add JUST this unsecured domain to the info plist  instead of making it available for ALL UNSECURE NET

User · Answer

NOTE  The exception domain in your plist should be in LOWER-CASE     Example  you have named your machine  MyAwesomeMacbook  under Settings- Sharing  your server  for test purposes  is running on MyAwesomeMacbook local 3000  and your app needs to send a request to http   MyAwesomeMacbook local 3000 files     your plist you will need to specify  myawesomemacbook local  as the exception domain   --  Your info plist would contain      lt key gt NSAppTransportSecurity lt  key gt   lt dict gt     lt key gt NSExceptionDomains lt  key gt     lt dict gt       lt key gt myawesomemacbook local lt  key gt       lt dict gt         lt  --Include to allow subdomains-- gt         lt key gt NSIncludesSubdomains lt  key gt         lt true  gt         lt  --Include to allow HTTP requests-- gt         lt key gt NSExceptionAllowsInsecureHTTPLoads lt  key gt         lt true  gt       lt  dict gt     lt  dict gt   lt  dict gt

User · Answer

For Cordova  if you want to add it into your ios json  do the following    NSAppTransportSecurity                 xml     lt dict gt  lt key gt NSAllowsArbitraryLoads lt  key gt  lt true   gt  lt  dict gt            And it should be inside of     -Info plist         parents

User · Answer

Here are the settings visually

User · Answer

See the forum post Application Transport Security    Also the page Configuring App Transport Security Exceptions in iOS 9 and OSX 10 11   For example  you can add a specific domain like    lt key gt NSAppTransportSecurity lt  key gt   lt dict gt     lt key gt NSExceptionDomains lt  key gt     lt dict gt       lt key gt example com lt  key gt       lt dict gt         lt  --Include to allow subdomains-- gt         lt key gt NSIncludesSubdomains lt  key gt         lt true  gt         lt  --Include to allow HTTP requests-- gt         lt key gt NSTemporaryExceptionAllowsInsecureHTTPLoads lt  key gt         lt true  gt         lt  --Include to specify minimum TLS version-- gt         lt key gt NSTemporaryExceptionMinimumTLSVersion lt  key gt         lt string gt TLSv1 1 lt  string gt       lt  dict gt     lt  dict gt   lt  dict gt    The lazy option is    lt key gt NSAppTransportSecurity lt  key gt   lt dict gt     lt  --Include to allow all connections  DANGER -- gt     lt key gt NSAllowsArbitraryLoads lt  key gt         lt true  gt   lt  dict gt    Note   info plist is an XML file so you can place this code more or less anywhere inside the file

User · Answer

In swift 4 and xocde 10 is change the NSAllowsArbitraryLoads to Allow Arbitrary Loads  so it is going to be look like this      lt key gt App Transport Security Settings lt  key gt   lt dict gt        lt key gt Allow Arbitrary Loads lt  key gt  lt true  gt   lt  dict gt

User · Answer

I do not like editing the plist directly  You can easily add it to the plist using the GUI    Click on the Info plist in the Navigator on the left   Now change the data in the main area    On the last line add the   Enter the name of the group  App Transport Security Settings Right click on the group and select Add Row Enter Allow Arbitrary Loads  Set the value on the right to YES

User · Answer

Transport security is available on iOS 9 0 or later  You may have this warning when trying to call a WS inside your application      Application Transport Security has blocked a cleartext HTTP  http     resource load since it is insecure  Temporary exceptions can be configured via your app s Info plist file    Adding the following to your Info plist will disable ATS    lt key gt NSAppTransportSecurity lt  key gt   lt dict gt        lt key gt NSAllowsArbitraryLoads lt  key gt  lt true  gt   lt  dict gt

User · Answer

Finally    Resolved App transport Security      1  Follow the follow the screen shot  Do it in Targets info Section

User · Answer

If you are using Xcode 8 0  and Swift 2 2  or even Objective C   If you want to allow HTTP connections to any site  you can use this keys   lt key gt NSAppTransportSecurity lt  key gt   lt dict gt       lt key gt NSAllowsArbitraryLoads lt  key gt       lt true  gt   lt  dict gt   If you know which domains you will connect to add   lt key gt NSAppTransportSecurity lt  key gt   lt dict gt       lt key gt NSExceptionDomains lt  key gt       lt dict gt           lt key gt example com lt  key gt           lt dict gt               lt key gt NSExceptionAllowsInsecureHTTPLoads lt  key gt               lt true  gt               lt key gt NSIncludesSubdomains lt  key gt               lt true  gt           lt  dict gt       lt  dict gt   lt  dict gt

User · Answer

Figuring out what settings to use can be performed automatically  as mentioned in this technote    usr bin nscurl --ats-diagnostics --verbose https   your-domain com

User · Answer

By default  iOS only allows HTTPS API  Since HTTP is not secure  you will have to disable App transport security  There are two ways to disable ATS -     1  Adding source code in project info plist and add the following code in root   tag     lt key gt NSAppTransportSecurity lt  key gt   lt dict gt       lt key gt NSAllowsArbitraryLoads lt  key gt       lt true  gt   lt  dict gt       2  Using project info    Click on project on the project on the left pane  select the project as target and choose info tab  You have to add the dictionary in the following structure

User · Answer

According to Apple  generally disabling ATS will lead to app rejection  unless you have a good reason to do so  Even then  you should add exceptions for domains that you can access safely   Apple has an excellent tool that tells you exactly what settings to use  In Terminal  enter   usr bin nscurl --ats-diagnostics --verbose https   www example com whatever   and nscurl will check whether this request fails  and then try a variety of settings and tell you exactly which one passes  and what to do  For example  for some third-party URL that I visit  this command told me that this dictionary passes         NSExceptionDomains              www example com                  NSExceptionRequiresForwardSecrecy   false                        To distinguish between your own sites and third-party sites that are out of your control  use  for example  the key NSThirdPartyExceptionRequiresForwardSecrecy

User · Answer

Using NSExceptionDomains may not apply an effect simultaneously due to target site may load resources  e g  js files  from external domains over http  It can be resolved by adding these external domains to NSExceptionDomains as well   To inspect which resources cannot be loaded try to use Remote debugging  Here is a tutorial  http   geeklearning io apache-cordova-and-remote-debugging-on-ios

User · Answer

There are two solutions for this    Solutions 1      In Info plist file add a dictionary with key  NSAppTransportSecurity  Add another element inside dictionary with key  Allow Arbitrary Loads    Plist structure should appear as shown in below image     Solution 2     In Info plist file add a dictionary with key  NSAppTransportSecurity  Add another element inside dictionary with key  NSExceptionDomains  Add element with key  MyDomainName com  of type NSDictionary Add element with key  NSIncludesSubdomains  of type Boolean and value set as YES Add element with key  NSTemporaryExceptionAllowsInsecureHTTPLoads  of type Boolean and value set as YES   Plist structure should appear as shown in below image     Solution 2 is preferred since it allows only selected domain whereas solution 1 allows all insecure HTTP connections

User · Answer

This was tested and was working on iOS 9 GM seed - this is the configuration to allow a specific domain to use HTTP instead of HTTPS    lt key gt NSAppTransportSecurity lt  key gt   lt dict gt         lt key gt NSAllowsArbitraryLoads lt  key gt          lt false  gt          lt key gt NSExceptionDomains lt  key gt          lt dict gt               lt key gt example com lt  key gt   lt  --Include your domain at this line -- gt               lt dict gt                   lt key gt NSIncludesSubdomains lt  key gt                   lt true  gt                   lt key gt NSTemporaryExceptionAllowsInsecureHTTPLoads lt  key gt                   lt true  gt                   lt key gt NSTemporaryExceptionMinimumTLSVersion lt  key gt                   lt string gt TLSv1 1 lt  string gt               lt  dict gt          lt  dict gt   lt  dict gt    NSAllowsArbitraryLoads must be false  because it disallows all insecure connection  but the exceptions list allows connection to some domains without HTTPS

User · Answer

On 2015-09-25  after Xcode updates on 2015-09-18    I used a non-lazy method  but it didn t work  The followings are my tries   First    lt key gt NSAppTransportSecurity lt  key gt   lt dict gt       lt key gt NSExceptionDomains lt  key gt       lt dict gt           lt key gt www xxx yyy zzz lt  key gt           lt dict gt               lt key gt NSTemporaryExceptionAllowsInsecureHTTPLoads lt  key gt               lt true  gt               lt key gt NSTemporaryExceptionMinimumTLSVersion lt  key gt               lt string gt TLSv1 1 lt  string gt               lt key gt NSIncludesSubdomains lt  key gt               lt true  gt           lt  dict gt       lt  dict gt   lt  dict gt    And second    lt key gt NSAppTransportSecurity lt  key gt   lt dict gt       lt key gt NSExceptionDomains lt  key gt       lt dict gt           lt key gt www xxx yyy zzz lt  key gt           lt dict gt               lt key gt NSExceptionAllowsInsecureHTTPLoads lt  key gt               lt true  gt               lt key gt NSExceptionMinimumTLSVersion lt  key gt               lt string gt TLSv1 1 lt  string gt               lt key gt NSIncludesSubdomains lt  key gt               lt true  gt           lt  dict gt       lt  dict gt   lt  dict gt    Finally  I used the lazy method    lt key gt NSAppTransportSecurity lt  key gt   lt dict gt       lt key gt NSAllowsArbitraryLoads lt  key gt       lt true  gt   lt  dict gt    It might be a little insecure  but I couldn t find other solutions

User · Answer

Update for Xcode 7 1  facing problem 27 10 15   The new value in the Info plist is  App Transport Security Settings   From there  this dictionary should contain    Allow Arbitrary Loads   YES Exception Domains  insert here your http domain

User · Answer

Use     Add a new item  NSAppTransportSecurity  in the plist file with type Dictionary  then add sub item NSAllowsArbitraryLoads in dictionary of type Boolean  and set bool value YES  This works for me

User · Answer

How to fix it         Below steps to fix it

[ios] Transport security has blocked a cleartext HTTP

Examples related to ios

Examples related to xcode

Examples related to ios9

Examples related to ios10

Examples related to app-transport-security