--- title: NSExceptionDomains framework: bundleresources role: symbol role_heading: Property List Key path: bundleresources/information-property-list/nsapptransportsecurity/nsexceptiondomains --- # NSExceptionDomains Custom App Transport Security (ATS) configurations for named domains. ## Discussion Discussion The value for this key is a dictionary with keys that name specific domains, IP addresses, or IP address ranges for which you want to set exceptions. The value for each domain key is another dictionary that indicates the exceptions for that domain. NSExceptionDomains : Dictionary { : Dictionary { NSIncludesSubdomains : Boolean NSExceptionAllowsInsecureHTTPLoads : Boolean NSExceptionMinimumTLSVersion : String NSExceptionRequiresForwardSecrecy : Boolean } } Follow these rules when setting a domain name string: Use lowercase — Use example.com, not EXAMPLE.COM. Use a DNS domain name, IP address, or range of IP addresses — In iOS 17, iPadOS 17, and macOS 14, you can use an IPv4 address, for example 192.168.42.63, or an IPv6 address, for example 2001:db8:12::34. You can also use a classless inter-domain routing (CIDR) range, for example 2001:db8:12::/48. For information about how ATS handles IP addresses, see NSAllowsLocalNetworking. note: If you exclude a DNS domain name and your app contacts a host by IP address, the ATS exclusion for the domain name doesn’t apply to the connection even if a DNS query for the domain name would resolve to the IP address. If you exclude an IP address and your app contacts a host by DNS name that resolves to that IP address, the ATS exclusion for the IP address doesn’t apply to the connection. Don’t include a port number — Use example.com, not example.com:443. Don’t include a trailing dot, unless you only want to match a domain string with a trailing dot — For example, example.com. (with a trailing dot) matches “example.com.” but not “example.com”. Similarly, example.com matches “example.com” but not “example.com.”. Don’t use wildcard domains — Don’t use *.example.com. Instead, use example.com and set NSIncludesSubdomains to YES. The values for the keys in each individual domain’s dictionary control how ATS treats connections made to that domain. note: If you specify an exception domain dictionary, ATS ignores any global configuration keys, like NSAllowsArbitraryLoads, for that domain. This is true even if you leave the domain-specific dictionary empty and rely entirely on its keys’ default values. ## Topics ### Subdomains - [NSIncludesSubdomains](bundleresources/information-property-list/nsincludessubdomains.md) ### Exceptions - [NSExceptionAllowsInsecureHTTPLoads](bundleresources/information-property-list/nsexceptionallowsinsecurehttploads.md) - [NSExceptionMinimumTLSVersion](bundleresources/information-property-list/nsexceptionminimumtlsversion.md) - [NSExceptionRequiresForwardSecrecy](bundleresources/information-property-list/nsexceptionrequiresforwardsecrecy.md) - [NSRequiresCertificateTransparency](bundleresources/information-property-list/nsrequirescertificatetransparency.md) - [NSExceptionRequiresNIAPTLSPackageVersion](bundleresources/information-property-list/nsexceptionrequiresniaptlspackageversion.md)