From 2.12.0 all ZAP ‘calls home’ are made to the zaproxy.org domain.
The availability of these services is shown on an UptimeRobot dashboard.
ZAP makes one request to https://cfu.zaproxy.org to see if ZAP or any of the add-ons are up to date.
The update data is retrieved from the relevant version file in the zap-admin github repo, e.g. ZapVersions-2.12.xml
This check is done at most once per day and can be disabled via the Desktop UI Check for Updates Options screen.
The following information is supplied:
- ZAP version
- ZAP runtime type (commandline, daemon or desktop)
- OS name and version
- Java version
- If ZAP is running in a known container (such as docker)
The IP addresses of requests is recorded but the least significant part is zeroed to maintain anonymity.
The Quick Start add-on makes one request to https://news.zaproxy.org to see if there is any new ZAP news.
The data is retrieved from the relevant quick start file in the zap-admin GitHub repo, e.g. 2.12.xml
One call will is made when ZAP starts up, reporting environmental data and the add-ons installed, and then one call is be made when the ZAP session changes, reporting selected statistics.
The last set of data sent is shown in the Call Home Options panel.
Historically ZAP made a limited set of ‘calls home’ via bitly.com URLs.
These were all discontinued from ZAP 2.12.0.
-silent command line option can be used to prevent ZAP from making any ‘calls home’.
If you explicitly ask ZAP to check for updates then it will still call the Check for Updates service.
Note that some third party add-ons may not obey the
This FAQ will be updated to detail any of the add-ons in the ZAP Marketplace that fall into this category.