Insecure HTTP connections are disabled by default on iOS and Android.


If your code tries to open an HTTP connection to a host on iOS or Android, a StateException is now thrown with the following message:

Insecure HTTP is not allowed by platform: <host>

Use HTTPS instead.


Starting with Android API 28 and iOS 9, these platforms disable insecure HTTP connections by default.

With this change Flutter also disables insecure connections on mobile platforms. Other platforms (desktop, web, etc) are not affected.

You can override this behavior by following the platform-specific guidelines to define a domain-specific network policy. See migration guide below for details.

Much like the platforms, the application can still open insecure socket connections. Flutter does not enforce any policy at socket level; you would be responsible for securing the connection.

Migration guide

On iOS, you can add NSExceptionDomains to your application’s Info.plist.

On Android, you can add a network security config XML. For Flutter to find your XML file, you need to also add a metadata entry to the <application> tag in your manifest. This metadata entry should carry the name: and should contain the resource identifier of the XML.

For instance, if you put your XML configuration under res/xml/network_security_config.xml, your manifest would contain:

<application ...>
  <meta-data android:name=""


  • Build time configuration is the only way to change network policy. It cannot be modified at runtime.
  • Localhost connections are always allowed.
  • You can allow insecure connections only to domains. Specific IP addresses are not accepted as input. This is in line with what platforms support.


Landed in version: 1.23
In stable release: not yet


API documentation: There’s no API for this change since the modification to network policy is done via platform specific configuration as detailed above.

Relevant PRs: