Insecure HTTP connections are disabled by default on iOS and Android
If your code tries to open an HTTP connection to a host
on iOS or Android, a
StateException is now thrown with
the following message:
Insecure HTTP is not allowed by platform: <host>
Use HTTPS instead.
Starting with Android API 28 and iOS 9, these platforms disable insecure HTTP connections by default.
With this change Flutter also disables insecure connections on mobile platforms. Other platforms (desktop, web, etc) are not affected.
You can override this behavior by following the platform-specific guidelines to define a domain-specific network policy. See the migration guide below for details.
Much like the platforms, the application can still open insecure socket connections. Flutter does not enforce any policy at socket level; you would be responsible for securing the connection.
On iOS, you can add NSExceptionDomains to your application’s Info.plist.
On Android, you can add a network security config XML.
For Flutter to find your XML file, you need to also add a
metadata entry to the
<application> tag in your manifest.
This metadata entry should carry the name:
io.flutter.network-policy and should contain the
resource identifier of the XML.
For instance, if you put your XML configuration under
your manifest would contain the following:
<application ...> ... <meta-data android:name="io.flutter.network-policy" android:resource="@xml/network_security_config"/> </application>
Allowing cleartext connection for debug builds
If you would like to allow HTTP connections for Android debug builds, you can add the following snippet to your $project_path\android\app\src\debug\AndroidManifest.xml:
For iOS, you can follow these instructions to create a
Info-debug.plist and put this in:
<key>NSAppTransportSecurity</key> <dict> <key>NSAllowsArbitraryLoads</key> <true/> </dict>
We do not recommend you do this for your release builds.
- Build time configuration is the only way to change network policy. It cannot be modified at runtime.
- Localhost connections are always allowed.
- You can allow insecure connections only to domains. Specific IP addresses are not accepted as input. This is in line with what platforms support. If you would like to allow IP addresses, the only option is to allow cleartext connections in your app.
Landed in version: 1.23
In stable release: 2.0.0
Reverted in version: 2.2.0 (proposed)
API documentation: There’s no API for this change since the modification to network policy is done through the platform specific configuration as detailed above.