Set NSAllowsArbitraryLoads to false

Hi All,

in our application we want to enforce security to the app. So i want to set NSAllowsArbitraryLoads to false in info.plist. but when i build the application, the value is again changing to true. Please provide some inputs.


you have to set this value in config.xml inside platform ios section

Hi Ajay,

Appreciate your interest. I tried even setting it in config.xml. I have also tried adding plugin cordova-plugin-transport-security and edited plugin.xml of this plugin to set the value to false. But again when i build the application, the value gets changed to true.

I was having similar issue with Cordova/Ionic and you are right @ arunapavan, Cordova sets NSAllowsArbitraryLoads to “true” by default. This happens in prepare phase.
Also it happens after applying the <edit-file> and <config-file> configuration are applied from config.xml, so you will not get a chance to change it through config.xml. To me It looks like a bug in Cordova.
My work around was to write a hook for after_prepare and manipulate plist values.

<hook src="scripts/ios-allows-arbitrary-loads-fix.js" type="after_prepare" />

I used a npm package to read plist and convert to JS object, then changed it and converted it back to XML.

My code snippet is like this

const plist = require('plist');
const fs = require('fs');
const plistFilePath = `${__dirname}/../platforms/ios/MyApp/MyApp-Info.plist`;
const plistXML = fs.readFileSync(plistFilePath, 'utf8');
const plistJson = plist.parse(plistXML);
delete plistJson.NSAppTransportSecurity.NSExceptionDomains;
delete plistJson.NSAppTransportSecurity.NSAllowsArbitraryLoads;
plistJson.NSAppTransportSecurity.NSAllowsLocalNetworking = true;
const updatedPlistXML =;
fs.writeFileSync(plistFilePath, updatedPlistXML);
console.log('Successfully updated plist\'s security tags (NSAppTransportSecurity)!');


I noticed that in the default iOS template for Capacitor, NSAllowsArbitraryLoads is set to true:

Is this required, and if it is, should it be in the documentation? Apple will likely ask why this is set and I’m not sure I can give them a valid reason.

Anyone still interested in this issue?

Cannot use the config.xml configuration to set it FALSE.

@pazel’s answer its an option, but a very basic configuration for iOS should not introduce such a headache with Ionic/Cordova… Thanks!