The browser extension needs to be able to communicate with ZAP, but it must do it in a secure way so that malicious targets cannot abuse the API end points that this add-on defines. Passing configuration details to browser extensions can be tricky, and so this is done in 2 different ways depending on how the browsers are launched.
If Firefox or Chrome are launched from ZAP with this add-on enabled then it automatically adds the ZAP browser extension. The add-on also opens a callback URL like:
The browser extension detects URLs of this format in the context script index.ts and then uses this URL to pass data from the browser back to ZAP.
If you launch Firefox or Chrome in any other way then you will need to install the browser extension yourself from:
Once installed you will need to configure the ZAP browser extension manually. In Firefox or Chrome:
You will need to configure:
ZAP API URL: the default is
and should work in all cases, but you can also use the host and port ZAP is listening on, e.g.
ZAP API Key: you can find this in the ZAP API Options screen You can leave the ZAP API Key blank if you have turned off the API Key in ZAP, but this is only recommended in a safe environment where you trust the websites you will be accessing via ZAP.