An allowlist (also known as a whitelist) is a security approach that explicitly defines which entities, such as IP addresses, domains, email addresses, applications, or input values, are permitted. Everything not on the list is denied by default. This "default deny" philosophy is considered more secure than its opposite, the blocklist, because it only permits known-good items rather than trying to enumerate all possible threats.
How It Works
Allowlisting operates on a simple principle: define what is acceptable and reject everything else. In network security, a firewall allowlist might specify which IP addresses can connect to a service. In application security, an input validation allowlist defines which characters, formats, or values are acceptable in user input. In email security, an allowlist determines which senders can bypass spam filters.
The implementation varies by context. A Content Security Policy (CSP) header acts as an allowlist for web resources, specifying which domains can serve scripts, styles, and other content. CORS headers allowlist which origins can make cross-origin requests to an API. File upload validation might allowlist specific file extensions and MIME types.
The key advantage of allowlisting over blocklisting is resilience against novel attacks. A blocklist that bans known malicious inputs can be bypassed with new variations the list does not cover. An allowlist that only accepts known-good inputs blocks both known and unknown attack patterns. For example, an allowlist that accepts only alphanumeric characters in a username field automatically prevents SQL injection, XSS, and command injection without needing to know about any of those specific attack techniques.
Why It Matters
Allowlisting is a fundamental principle in secure application design. During security assessments, testers evaluate whether applications use allowlist-based validation rather than blocklist-based filtering. Applications that rely on blocklists to prevent attacks are consistently easier to bypass because attackers only need to find one encoding, variation, or edge case that the blocklist does not cover.
Need your application tested? Get in touch.