-1

I searched and found many links which tells to block HTTP and some specific domain or allow specific domain using Transport Security in Plist file like Transport security has blocked a cleartext HTTP and Application Transport Security. I used following in my plist

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSAllowsArbitraryLoads</key>
    <false/>
</dict>

My app consuming APIs and displaying data on views, there is a page in my app where I set server url like https://liveserver.com and http://localserver.com, but when I set url http://localserver.com it still working. And It still working with true value. Kindly give me suggestion how to block All HTTP urls and app will only work with HTTPS.

Thanks

Community
  • 1
  • 1
Aleem
  • 3,173
  • 5
  • 33
  • 71
  • Try deleting the key `NSAllowsArbitraryLoads`. – JonJ Nov 05 '18 at 14:34
  • @Aleem What do you mean by "user can set Domain like https://google.com"? are those links in your app and opening this in browser or webView? – Satish Nov 05 '18 at 19:47
  • Google.com is just an example. Actually my app is consuming APIs of our local server like http:/localServer.com and one live server like https:/liveServer.com – Aleem Nov 06 '18 at 06:49
  • How are you accessing the domains in question? SFSafariViewController? UIWebView? NSURLConnection? – wottle Nov 12 '18 at 16:48
  • @Aleem you need to provide details about how you are trying to connect to the domains above. ATS only applies in some scenarios. For example, if you are doing it in a SFSafariViewController, your ATS settings will not apply, since SFSafariViewController is sandboxed separate from your app. – wottle Nov 13 '18 at 15:48

1 Answers1

1

Try with:

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSExceptionDomains</key>
    <dict>
        <key>domain.com</key>
        <dict>
            <!--Include to allow subdomains-->
            <key>NSIncludesSubdomains</key>
            <true/>
            <!--Include to allow HTTP requests-->
            <key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
            <true/>
            <!--Include to specify minimum TLS version-->
            <key>NSTemporaryExceptionMinimumTLSVersion</key>
            <string>TLSv1.1</string>
        </dict>
    </dict>
</dict>

For Block all HTTP try

<key>NSAppTransportSecurity</key>
  <dict>
    <key>NSAllowsArbitraryLoads</key>
    <false/>
    <key>NSExceptionDomains</key>
    <dict>
     <key>*</key>
    <dict>
        <key>NSExceptionAllowsInsecureHTTPLoads</key>
        <false/>
    </dict>
  </dict>
 </dict>
Daniel Muñoz
  • 547
  • 1
  • 7
  • 23
  • I don't want to mention "domain.com", I simply want to disallow all HTTP and allow all url with HTTPS – Aleem Nov 05 '18 at 14:28
  • For Block all HTTP try: not worked!! It still allows to ping – Aleem Nov 05 '18 at 15:58
  • 1
    ping is not using an http connection. It uses its own protocol and it's own port. How are you trying to connect to these domains? Seem my question above if you want answers on how to do what you are asking. – wottle Nov 13 '18 at 15:47