<network-security-config> <debug-overrides> <trust-anchors> <!-- Trust user added CAs while debuggable only --> <certificates src="user" /> </trust-anchors> </domain-config> </network-security-config>
<network-security-config> <domain-config> <domain includeSubdomains="true">internal.example.com</domain> <trust-anchors> <!-- Only trust the CAs included with the app for connections to internal.example.com --> <certificates src="@raw/cas" /> </trust-anchors> </domain-config> </network-security-config>
<network-security-config> <domain-config> <domain includeSubdomains="true">userCaDomain.com</domain> <domain includeSubdomains="true">otherUserCaDomain.com</domain> <trust-anchors> <!-- Trust preinstalled CAs --> <certificates src="system" /> <!-- Additionally trust user added CAs --> <certificates src="user" /> </trust-anchors> </domain-config> </network-security-config>
<network-security-config> <base-config> <trust-anchors> <!-- Trust preinstalled CAs --> <certificates src="system" /> <!-- Additionally trust user added CAs --> <certificates src="user" /> </trust-anchors> </base-config> <domain-config> <domain includeSubdomains="true">sensitive.example.com</domain> <trust-anchors> <!-- Only allow sensitive content to be exchanged with the real server and not any user or admin configured MiTMs --> <certificates src="system" /> <trust-anchors> </domain-config> </network-security-config>
<network-security-config> <base-config> <trust-anchors> <!-- Trust preinstalled CAs --> <certificates src="system" /> <!-- Additionally trust user added CAs --> <certificates src="user" /> </trust-anchors> </base-config> </network-security-config>