-
Add-ons
- Access Control Testing
-
Active Scan Rules
-
Active Scan Rules - Alpha
-
Active Scan Rules - Beta
-
Advanced SQLInjection Add-on
- AJAX Spider
- Alert Filters
- All In One Notes
-
AMF Support
- Authentication Helper
-
Authentication Statistics
-
Automation Framework
- Automation Framework - About
- Automation Framework - authentication
- Automation Framework - Environment
- Automation Framework - GUI
- Automation Framework - addOns Job
- Automation Framework - activeScan Job
- Automation Framework - delay Job
- Automation Framework - passiveScan-config Job
- Automation Framework - passiveScan-wait Job
- Automation Framework - requestor Job
- Automation Framework - spider Job
- Automation Framework - Options
- Automation Framework - Alert Job Test
- Automation Framework - Monitor Job Test
- Automation Framework - Statistics Job Test
- Automation Framework - URL Presence Job Tests
- Automation Framework - Job Tests
-
Bean Shell Console
-
BIRT Reports
-
Browser View
-
Bug Tracker
-
Call Graph
-
Call Home
- Client Side Integration
-
Code Dx
-
Collection: Pentester Pack
-
Collection: Scan Rules Pack
-
Common Library
-
Community Scripts
- Custom Payloads
-
Custom Report
-
Database Add-on
-
Dev Add-On
-
Diff
-
Directory List v1.0
-
Directory List v2.3
-
Directory List v2.3 LC
- DOM XSS Active Scan Rule
- Encode / Decode / Hash dialog
-
Eval Villain
-
Export Report
- Forced Browse
-
Form Handler
-
FuzzDB Files
-
FuzzDB Offensive
-
FuzzDB Web Backdoors
- Fuzzing
-
Getting Started Guide
-
GraalVM JavaScript
- GraphQL Support
- Groovy Support
-
Highlighter
-
HTTPS Info
- The HUD
- Import/Export
-
Import URLs
- Invoke Applications
-
JSON View
-
Kotlin Support
-
Linux WebDrivers
-
Log File Importer
-
MacOS WebDrivers
-
Neonmarker
- Network Add-on
- Out-of-band Application Security Testing Support
-
Online Menu
- OpenAPI Support
- Parameter Digger
-
Passive Scan Rules
-
Passive Scan Rules - Alpha
-
Passive Scan Rules - Beta
- Plug-n-Hack
- Port Scan
- Postman Support
- Python Scripting
- Quick Start
-
Regular Expression Tester
- Replacer
-
Report Alert Generator
-
Report Generation
- Report Generation - About
- Report Generation API
- Report Generation Automation Framework Support
- Creating Reports
- High Level Report Sample
- Modern HTML Report with themes and options
- Risk and Confidence HTML
- SARIF JSON Report
- Traditional HTML with Requests and Responses
- Traditional HTML
- Traditional JSON Report with Requests and Responses
- Traditional JSON Report
- Traditional Markdown Report
- Traditional PDF
- Traditional XML Report with Requests and Responses
- Traditional XML Report
- Report Templates
- Requester Add-on
- Retest
-
Retire.js
-
Reveal
-
Revisit
-
Ruby Scripting
-
SAML Support
-
Save Raw Message
-
Save XML Message
- Script Console
- Selenium
-
Sequence Scanner
- Server-Sent Events
- SOAP Support
- Spider
-
SVN Digger Files
- Technology Detection
-
Tips and Tricks
-
TLS Debug
- Token Generation and Analysis
-
TreeTools
-
Value Generator
-
ViewState
- WebSockets
-
Windows WebDrivers
-
Zest
-
Releases
- Release 1.0.0
- Release 1.1.0
- Release 1.2.0
- Release 1.3.0
- Release 1.3.1
- Release 1.3.2
- Release 1.3.3
- Release 1.3.4
- Release 1.4.0
- Release 1.4.1
- Release 2.0.0
- Release 2.1.0
- Release 2.10.0
- Release 2.11.0
- Release 2.11.1
- Release 2.12.0
- Release 2.13.0
- Release 2.14.0
- Release 2.2.0
- Release 2.2.1
- Release 2.2.2
- Release 2.3.0
- Release 2.3.1
- Release 2.4.0
- Release 2.4.1
- Release 2.4.2
- Release 2.4.3
- Release 2.5.0
- Release 2.6.0
- Release 2.7.0
- Release 2.8.0
- Release 2.9.0
-
Getting Started
- Scanner Rules
-
Features
- Add-ons
- Alerts
- Anti CSRF Handling
- API
- Active Scan
- Authentication
- Authentication Methods
- Authentication Verification Strategies
- Breakpoints
- Callbacks
- Contexts
- Custom Page
- Data Driven Content
- Globally Excluded URLs
- HTTP Sessions
- Manipulator-in-the-middle Proxy
- Marketplace
- Modes
- Notes
- Passive Scan
- Software Bill of Materials
- Scan Policy
- Scope
- Scripts
- Session Management
- Sites Tree
- Spider
- Statistics
- Structural Modifiers
- Structural Parameters
- Tags
- Users
- A Basic Penetration Test
- Configuring Proxies
-
Desktop UI Overview
-
Dialogs
- Add Alert dialog
- Add/Edit Breakpoint dialog
- Add Note dialog
- Active Scan dialog
- Encode / Decode / Hash dialog
- Find dialog
- History Filter dialog
- Manual Request Editor dialog
- Manage Add-ons
- Manage History Tags dialog
-
Options dialog
- Options Alerts screen
- Options Anti CRSF screen
- Options API screen
- Options Active Scan screen
- Options Active Scan Input Vectors screen
- Options Breakpoints screen
- Options Callback Address screen
- Options Client Certificate screen
- Options Check for Updates screen
- Options Connection screen
- Options Database screen
- Dynamic SSL Certificates
- Options Extensions screen
- Options Global Exclude URL screen
- Options HTTP Sessions screen
- Options JVM screen
- Options Keyboard screen
- Options language screen
- Options Local Proxies screen
- Options Passive Scan Tags screen
- Options Passive Scanner Screen
- Options Passive Scan Rules Screen
- Options Rule Configuration screen
- Options Scripts screen
- Options Search screen
- Options Spider screen
- Options Statistics screen
- Options Display screen
- Persist Session dialog
- Scan Policy Dialog
- Scan Policy Manager dialog
- Scan Progress Dialog
- Session Properties dialog
- Spider dialog
- Footer
- The Tabs
- Top Level Menu
- Top Level Toolbar
- Views
-
Dialogs
- Documentation
- The ZAP Desktop User Guide
- Desktop UI Overview
- Dialogs
- Options dialog
- Options API screen
Options API screen
This screen allows you to configure the API options:
Enabled
If enabled then the API is available to all machines that are able to access ZAP’s proxies that expose the API.
Web UI Enabled
If enabled then the API Web UI is available to all machines that are able to access ZAP’s proxies that expose the API. To access the API Web UI point your browser to the host and port that ZAP is listening on.
Secure Only
If enabled then the API will only be available via HTTPS. Otherwise it will be available via both HTTP and HTTPS.
File Transfer Enabled
If enabled then files can be transfered to and from ZAP via the API. This option is only available if the API key is not disabled. For more details see File Transfer.
You can also enable this option via the command line using the parameter: -config api.filexfer=true
Transfer Directory
The directory used to transfer files to and from ZAP via the API. This option is only available if the API key is not disabled. For more details see File Transfer.
You can also set the Transfer Directory via the command line using: -config api.xferdir=/full/path/to/dir
API Key
A key that must be specified on all API ‘actions’ and some ‘other’ operations.
The API key is used to prevent malicious sites from accessing the ZAP API.
It is strongly recommended that you set a key unless you are using ZAP in a completely isolated environment.
Addresses permitted to use the API
By default only the machine ZAP is running on is able to access the ZAP API.
You can allow other machines access to the API by adding suitable regex patterns.
You should only add IP addresses that you trust.
Note that the ZAP API also now checks the host header, so that must also be one of the permitted addresses.
Disable the API Key
Selecting this option disables the API key.
This is not recommended unless you are using ZAP in a completely isolated environment, as it allows malicious sites to access the ZAP API.
Do not require an API key for safe operations
If enabled then the API key is not required for Views or Other operations that are considered ‘safe’, in other words operations that do not make any changes to ZAP. Such operations do however give access to ZAP data such as alert, messages, and file system paths. They can also be used by web applications to detect the presence of ZAP.
Report permission errors via API
If enabled then ZAP will report permission errors via the API, which can be used by web applications to detect the presence of ZAP. This is not a serious problem in a safe environment but if you are using ZAP against potentially malicious sites then you should not enable it.
Report error details via API
If this option is selected then more error details are returned via the API.
This is not recommended except for debugging purposes as these error messages can leak information to malicious sites.
Note that the full error details are always written to the ZAP log file.
Autofill API key in the API UI
If this option is selected then the API key is automatically included in the API UI.
This is not recommended unless you are using ZAP in a completely isolated environment, as it allows malicious sites to access the ZAP API Key.
Enable JSONP
Selecting this option enables the JSONP format.
This can be useful for some applications, but it is generally not recommended as it increases the ZAP attack surface area, ie the features that a malicious site can abuse.
If JSONP is enabled then all API operations using JSONP (including views) will require the API key to prevent malicious sites from accessing sensitive information maintained by ZAP, such as session keys.
See also
| UI Overview | for an overview of the user interface | |
| Options dialogs | for details of the other Options dialog screens |