Malformed ATS Configuration
Malformed ATS Configuration
Description
The issue stems from an incorrect or malformed structure within the NSExceptionDomains configuration. The NSExceptionDomains structure is expected to follow a specific format, which includes a dictionary of domain names or IP addresses, each associated with a dictionary specifying various security-related attributes such as NSIncludesSubdomains, NSExceptionAllowsInsecureHTTPLoads, NSExceptionMinimumTLSVersion, and NSExceptionRequiresForwardSecrecy. Failing to conform with this expected structure may lead to security vulnerabilities or unexpected behavior in the application.
Correct example :
<dict>
<key>NSExceptionDomains</key>
<dict>
<key>test.io</key>
<dict>
<key>NSExceptionAllowsInsecureHTTPLoads</key>
<true/>
</dict>
<key>example-mobile.com</key>
<dict>
<key>NSExceptionAllowsInsecureHTTPLoads</key>
<true/>
</dict>
</dict>
</dict>
Incorrect example :
<dict>
<key>NSExceptionDomains</key>
<dict>
<key>test.io</key>
<string>test</string>
<key>example-mobile.com</key>
<dict>
<key>NSExceptionAllowsInsecureHTTPLoads</key>
<true/>
</dict>
</dict>
</dict>
Recommendation
It is essential to align with the specified norm to ensure consistency and compatibility with the expected usage. The anticipated structure, as outlined below, serves as the expected standard:
NSExceptionDomains : Dictionary {
<domain-name-or-ip-address-string> : Dictionary {
NSIncludesSubdomains : Boolean
NSExceptionAllowsInsecureHTTPLoads : Boolean
NSExceptionMinimumTLSVersion : String
NSExceptionRequiresForwardSecrecy : Boolean
}
}
Links
Standards
- PCI_STANDARDS:
- REQ_2_2
- REQ_6_2