no-allow-arbitrary-loads
Prevents disabling App Transport Security (ATS) by detecting `allowArbitraryLoads: true` in configuration.
Keywords: ATS, App Transport Security, iOS security, CWE-295, NSAppTransportSecurity, allowArbitraryLoads, mobile security
Prevents disabling App Transport Security (ATS) by detecting allowArbitraryLoads: true in configuration.
⚠️ This rule errors by default in the recommended config.
Quick Summary
| Aspect | Details |
|---|---|
| CWE Reference | CWE-295 (Improper Certificate Validation) |
| OWASP Mobile | M5: Insecure Communication |
| Severity | High |
| Category | Mobile Security |
Rule Details
App Transport Security (ATS) enforces secure connections for iOS/macOS applications. Setting allowArbitraryLoads: true disables this protection entirely, allowing insecure HTTP connections and weakening certificate validation.
This rule detects configuration that disables ATS protection.
Examples
❌ Incorrect
// Disabling ATS entirely - DANGEROUS
const config = {
NSAppTransportSecurity: {
allowArbitraryLoads: true, // Allows all insecure connections
},
};
// In Info.plist configuration (parsed as JSON)
const plist = {
NSAppTransportSecurity: {
NSAllowsArbitraryLoads: true,
allowArbitraryLoads: true,
},
};✅ Correct
// Keep ATS enabled (default)
const config = {
NSAppTransportSecurity: {
allowArbitraryLoads: false, // Or omit entirely
},
};
// Allow exceptions only for specific domains
const config = {
NSAppTransportSecurity: {
NSExceptionDomains: {
'legacy-api.example.com': {
NSTemporaryExceptionAllowsInsecureHTTPLoads: true,
},
},
},
};Error Message Format
When triggered, this rule produces:
🔒 CWE-295 | Prevent configuration allowing insecure loads detected - allowArbitraryLoads: true | HIGH
Fix: Review and apply secure practices | https://cwe.mitre.org/data/definitions/295.htmlKnown False Negatives
The following patterns are not detected due to static analysis limitations:
Dynamic Configuration
Why: Configuration values set dynamically at runtime cannot be traced.
// ❌ NOT DETECTED - Dynamic value
const enableInsecure = process.env.ALLOW_INSECURE === 'true';
const config = { allowArbitraryLoads: enableInsecure };Mitigation: Never use environment variables to control security settings.
Configuration in External Files
Why: Rule only checks JavaScript/TypeScript, not Info.plist XML.
<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsArbitraryLoads</key>
<true/>
</dict>Mitigation: Use plist linting tools for native iOS configuration.
When Not To Use It
- In development environments with local HTTP servers (use domain exceptions instead)
- When targeting iOS 8 or earlier (ATS was introduced in iOS 9)
Further Reading
- OWASP Mobile Top 10 - M5: Insecure Communication
- Apple ATS Documentation
- CWE-295: Improper Certificate Validation
Related Rules
- no-disabled-certificate-validation
- no-insecure-ssl (in eslint-plugin-pg)
Category: Mobile Security
Type: Problem
Recommended: Yes