NSExceptionDomains

Discussion

The value for this key is a dictionary with keys that name specific domains, IP addresses, or IP address ranges for which you want to set exceptions. The value for each domain key is another dictionary that indicates the exceptions for that domain.

NSExceptionDomains : Dictionary {
    <domain-name-or-ip-address-string> : Dictionary {
        NSIncludesSubdomains : Boolean
        NSExceptionAllowsInsecureHTTPLoads : Boolean
        NSExceptionMinimumTLSVersion : String
        NSExceptionRequiresForwardSecrecy : Boolean
    }
}

Follow these rules when setting a domain name string:

• Use lowercase — Use example.com, not EXAMPLE.COM.

• Use a DNS domain name, IP address, or range of IP addresses — In iOS 17, iPadOS 17, and macOS 14, you can use an IPv4 address, for example 192.168.42.63, or an IPv6 address, for example 2001:db8:12::34. You can also use a classless inter-domain routing (CIDR) range, for example 2001:db8:12::/48. For information about how ATS handles IP addresses, see NSAllowsLocalNetworking.

• Don’t include a port number — Use example.com, not example.com:443.

• Don’t include a trailing dot, unless you only want to match a domain string with a trailing dot — For example, example.com. (with a trailing dot) matches “example.com.” but not “example.com”. Similarly, example.com matches “example.com” but not “example.com.”.

• Don’t use wildcard domains — Don’t use *.example.com. Instead, use example.com and set NSIncludesSubdomains to YES.

The values for the keys in each individual domain’s dictionary control how ATS treats connections made to that domain.

Topics

Subdomains

• NSIncludesSubdomains

Exceptions

• NSExceptionAllowsInsecureHTTPLoads
• NSExceptionMinimumTLSVersion
• NSExceptionRequiresForwardSecrecy
• NSRequiresCertificateTransparency
• NSExceptionRequiresNIAPTLSPackageVersion