--- title: NSExceptionDomains framework: Bundle Resources role: symbol role_heading: Property List Key platforms: [iOS 9.0+, iPadOS 9.0+, Mac Catalyst 9.0+, macOS 10.11+, visionOS 1.0+] path: bundleresources/information_property_list/nsapptransportsecurity/nsexceptiondomains --- # NSExceptionDomains Custom App Transport Security (ATS) configurations for named domains. ## Discussion The value for this key is a dictionary with keys that name specific domains, IP addresses, or IP address ranges for which you want to set exceptions. The value for each domain key is another dictionary that indicates the exceptions for that domain. ```console NSExceptionDomains : Dictionary { : Dictionary { NSIncludesSubdomains : Boolean NSExceptionAllowsInsecureHTTPLoads : Boolean NSExceptionMinimumTLSVersion : String NSExceptionRequiresForwardSecrecy : Boolean } } ``` Follow these rules when setting a domain name string: - **Use lowercase** — Use `example.com`, not `EXAMPLE.COM`. - **Use a DNS domain name, IP address, or range of IP addresses** — In iOS 17, iPadOS 17, and macOS 14, you can use an IPv4 address, for example `192.168.42.63`, or an IPv6 address, for example `2001:db8:12::34`. You can also use a classless inter-domain routing (CIDR) range, for example `2001:db8:12::/48`. For information about how ATS handles IP addresses, see [NSAllowsLocalNetworking](../../information-property-list/nsapptransportsecurity/nsallowslocalnetworking.md). > **note:** If you exclude a DNS domain name and your app contacts a host by IP address, the ATS exclusion for the domain name doesn’t apply to the connection even if a DNS query for the domain name would resolve to the IP address. If you exclude an IP address and your app contacts a host by DNS name that resolves to that IP address, the ATS exclusion for the IP address doesn’t apply to the connection. - **Don’t include a port number** — Use `example.com`, not `example.com:443`. - **Don’t include a trailing dot, unless you only want to match a domain string with a trailing dot** — For example, `example.com.` (with a trailing dot) matches “example.com.” but not “example.com”. Similarly, `example.com` matches “example.com” but not “example.com.”. - **Don’t use wildcard domains** — Don’t use `*.example.com`. Instead, use `example.com` and set [NSIncludesSubdomains](../../information-property-list/nsincludessubdomains.md) to `YES`. The values for the keys in each individual domain’s dictionary control how ATS treats connections made to that domain. > **note:** If you specify an exception domain dictionary, ATS ignores any global configuration keys, like [NSAllowsArbitraryLoads](../../information-property-list/nsapptransportsecurity/nsallowsarbitraryloads.md), for that domain. This is true even if you leave the domain-specific dictionary empty and rely entirely on its keys’ default values. ## Topics ### Subdomains - [NSIncludesSubdomains](../../information-property-list/nsincludessubdomains.md) ### Exceptions - [NSExceptionAllowsInsecureHTTPLoads](../../information-property-list/nsexceptionallowsinsecurehttploads.md) - [NSExceptionMinimumTLSVersion](../../information-property-list/nsexceptionminimumtlsversion.md) - [NSExceptionRequiresForwardSecrecy](../../information-property-list/nsexceptionrequiresforwardsecrecy.md) - [NSRequiresCertificateTransparency](../../information-property-list/nsrequirescertificatetransparency.md) - [NSExceptionRequiresNIAPTLSPackageVersion](../../information-property-list/nsexceptionrequiresniaptlspackageversion.md)