Trajectories

Add Trajectory Whitelist and Blacklist

The Trajectory Whitelist and Blacklist feature gives you precise control over which API endpoints are included or excluded during external security assessments. This allows you to define the exact scope of automated testing, ensuring that scans focus only on relevant API endpoints.

Key Features

Per-host rules — Rules are applied independently for each host or domain.
Regex pattern matching — Use powerful regular expressions to match complex path patterns flexibly.
Blacklist takes precedence — Any path matching a blacklist rule is always excluded, even if it also matches a whitelist rule.

Trajectory Whitelist

The whitelist defines which API paths are allowed to be tested for a given host. Only endpoints whose paths match the whitelist regex pattern will be included in the external assessment.

Use the whitelist when you want to restrict testing to specific, known API areas.

Trajectory Blacklist

The blacklist defines which API paths must be excluded from testing. Any endpoint whose path matches a blacklist regex pattern will be completely ignored during the assessment, regardless of whether it matches a whitelist rule.

Important: Blacklist rules always override whitelist rules.

How to Configure Rules

Navigate to the Trajectory section in the Settings page.
Under the Trajectory Whitelist Section, choose a host:
- Select an existing discovered host from the list, or
- Choose Select Custom Host and enter the hostname manually.
Add a rule:
- Enter a valid regex pattern for the path.
- Click Add rule.
Repeat the process to add multiple rules for the same host or a different host.

You can add rules to both the Trajectory Whitelist and Trajectory Blacklist sections independently.

Common Regex Pattern Examples

Here are useful patterns to get you started:

api/users — Matches the exact path /api/users
/api/users/.* — Matches /api/users/ followed by anything (e.g., /api/users/123)
^/api/v[0-9]+/.* — Matches versioned API paths like /api/v1/, /api/v2/, etc.
^/api/(users|posts|comments)/.* — Matches specific resources: /api/users/…, /api/posts/…, or /api/comments/…
^/admin/.* — Matches all admin-related paths (useful for blacklisting)
^/(api|graphql)/.* — Matches both REST API and GraphQL endpoints
.*\.(js|css|png|jpg|gif)$ — Matches static asset files (recommended for blacklisting)

Testing Your Rules (Examples Section)

Before launching an external assessment, always verify your whitelist and blacklist configuration using the Examples testing area on the right side of the page.

How to test:

Select a host from the dropdown.
View the list of currently discovered API endpoints.
Each endpoint will show whether it passes (included) or fails (excluded) based on your rules.
You can also enter custom paths to test them instantly.

This step is crucial because the entire API testing scope depends on the correct whitelist and blacklist behaviour. Testing here helps catch misconfigured regex patterns early and prevents unintended inclusion or exclusion of endpoints.

PreviousDomains NextHelpful Copilot

Last updated 3 days ago