Whitelisting an application for CORS
Last updated: April 24, 2023
Read time: 2 Minutes
This enables you to develop more powerful integrated applications that can fetch the relevant data, create and edit sites, and launch new scans directly from the browser using AJAX.
Even if you're integrating Burp Suite Enterprise Edition with your CI/CD system using our native plugins, you still need to whitelist your Jenkins or TeamCity URL in order to use the Burp site-driven scan option.
You can whitelist as many origins as you want, each separated by a new line:
- Log in to Burp Suite Enterprise Edition as an administrator.
- From the settings menu , select Network.
In the Allowed Origins for GraphQL API section, enter the origin on which the other application is running. make sure that you include the URL scheme, domain name, and port. For example:
- When you're sure your entries are correct, click Save.
- Test your external application to make sure it works as expected.
If you still run into CORS-related issues, examine the
Origin header of the associated request and compare this to the URLs that you have in the whitelist. There should be no discrepancies.
The origin of incoming requests refers only to the URL scheme, domain name, and port. In other words, you can whitelist all cross-origin requests from
https://example.com:8080 but you cannot restrict this to specific subdirectories such as
https://example.com:8080/my-app. For more granular control, you need to deploy your application to a dedicated subdomain:
For more information about CORS, the same-origin policy, and the related security implications, please refer to the corresponding topic on our Web Security Academy.Cross-origin resource sharing
Was this article helpful?
An error occurred, please try again.