# Trajectories

The Trajectory Whitelist and Blacklist feature gives you precise control over which API endpoints are included or excluded during external security assessments. This allows you to define the exact scope of automated testing, ensuring that scans focus only on relevant API endpoints.

### Key Features

* **Per-host rules** — Rules are applied independently for each host or domain.
* **Regex pattern matching** — Use powerful regular expressions to match complex path patterns flexibly.
* **Blacklist takes precedence** — Any path matching a blacklist rule is always excluded, even if it also matches a whitelist rule.

### Trajectory Whitelist

The whitelist defines which API paths are **allowed** to be tested for a given host. Only endpoints whose paths match the whitelist regex pattern will be included in the external assessment. 

Use the whitelist when you want to restrict testing to specific, known API areas.

<figure><img src="https://232193438-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FwolEZzMm5QD9NoFKutSj%2Fuploads%2FFc8IMpbL1sXCKNJXcAUe%2Fimage.png?alt=media&#x26;token=3ce168fd-34b5-4186-85bf-22d43e9b6f77" alt=""><figcaption></figcaption></figure>

### Trajectory Blacklist

The blacklist defines which API paths must be **excluded** from testing. Any endpoint whose path matches a blacklist regex pattern will be completely ignored during the assessment, regardless of whether it matches a whitelist rule.

**Important**: Blacklist rules always override whitelist rules.

<figure><img src="https://232193438-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FwolEZzMm5QD9NoFKutSj%2Fuploads%2FoKaapEW3BwruT0J2dOyE%2Fimage.png?alt=media&#x26;token=5945ceb2-639b-4886-85be-eb3f2a6c39d2" alt=""><figcaption></figcaption></figure>

### How to Configure Rules

1. Navigate to the **Trajectory** section in the Settings page.
2. **Under the Trajectory Whitelist Section, choose a host**:
   * Select an existing discovered host from the list, or
   * Choose **Select** **Custom Host** and enter the hostname manually.
3. **Add a rule**:
   * Enter a valid regex pattern for the path.
   * Click **Add rule**.
4. Repeat the process to add multiple rules for the same host or a different host.

You can add rules to both the **Trajectory Whitelist** and **Trajectory Blacklist** sections independently.

### Common Regex Pattern Examples

Here are useful patterns to get you started:

```
api/users — Matches the exact path /api/users
/api/users/.* — Matches /api/users/ followed by anything (e.g., /api/users/123)
^/api/v[0-9]+/.* — Matches versioned API paths like /api/v1/, /api/v2/, etc.
^/api/(users|posts|comments)/.* — Matches specific resources: /api/users/…, /api/posts/…, or /api/comments/…
^/admin/.* — Matches all admin-related paths (useful for blacklisting)
^/(api|graphql)/.* — Matches both REST API and GraphQL endpoints
.*\.(js|css|png|jpg|gif)$ — Matches static asset files (recommended for blacklisting)
```

### Testing Your Rules (Examples Section)

Before launching an external assessment, always verify your whitelist and blacklist configuration using the **Examples** testing area on the right side of the page.

**How to test**:

1. Select a host from the dropdown.
2. View the list of currently discovered API endpoints.
3. Each endpoint will show whether it **passes** (included) or **fails** (excluded) based on your rules.
4. You can also enter custom paths to test them instantly.

{% hint style="info" %}
This step is crucial because the entire API testing scope depends on the correct whitelist and blacklist behaviour. Testing here helps catch misconfigured regex patterns early and prevents unintended inclusion or exclusion of endpoints.
{% endhint %}

<figure><img src="https://232193438-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FwolEZzMm5QD9NoFKutSj%2Fuploads%2Fr44Ivu4fQoPCJVxBQBPB%2Fimage.png?alt=media&#x26;token=ab535abd-41d0-4561-a9b1-4c33f65254b7" alt=""><figcaption></figcaption></figure>