Misc user options

This tab contains settings for hotkeys, automatic project backup, Proxy interception, REST API, Proxy history logging, location of temporary files, and performance feedback.

Hotkeys

These settings let you configure hotkeys for common actions. Numerous types of actions can be assigned a hotkey, in the following categories:

• Actions specific to an individual HTTP request or response, such as "Send to Repeater".
• Global actions, such as "Switch to Proxy".
• In-editor actions, such as "Cut" and "Undo".

A number of hotkeys are configured by default. Note that very many more actions are available to have a hotkey assigned, if you use them frequently.

All hotkeys must use the Control key (or the Command key on OSX), and may also use Shift and other available modifiers. Note that on some Windows installations the Ctrl+Alt combination is treated by Windows as equivalent to AltGr, and so may result in typed characters appearing when pressed in text fields.

Automatic project backup

Automatic project backup saves a copy of the Burp project file periodically in the background. The following options are available:

• Whether to perform automatic backup, and how frequently.
• Whether to include in-scope items only.
• Whether to show a progress dialog during backups.
• Whether to delete the backup file on clean shutdown of Burp.

REST API options

The REST API can be used by other tools to integrate with Burp Suite.

Note: The REST API exposes sensitive functionality and data. You should not enable the REST API service on untrusted network interfaces, and you should use separate API keys for each client that you grant access to.

The following options are available:

• The URL on which the service runs. You can select the port number and interface to bind to. You should not bind to non-loopback interfaces when connected to untrusted networks.
• Whether the service is currently running.
• Whether to allow access without an API key. This option is not recommended. It means that anyone with network access to the service endpoint is able to trigger actions within Burp and access its data. This includes CSRF requests from untrusted websites that you browse on the same machine as Burp, so API keys should always be used even when the service is listening only the loopback interface.
• The API keys for use by clients. You can create separate API keys for different purposes, and selectively enable or disable them. API keys are secrets and should be handled carefully. Note that you can only retrieve the value of an API key at the time that it is created.

Once the service is configured, you can browse the API documentation and interact with the API at [Service URL]/[API key].

Proxy interception

This option lets you configure whether Proxy interception should be enabled when Burp is started up. You can choose to always enable interception, always disable interception, or to restore the setting from when Burp was last closed.

Proxy history logging

This option controls whether adding items to Target scope will automatically set the Proxy option to stop sending out-of-scope items to the history or live tasks. Setting Burp to do this is useful to avoid accumulating project data for out-of-scope items.

Temporary files location

These settings let you configure where Burp stores its temporary files.

By default, Burp creates a directory within the temporary file location provided by the platform. You can modify this behavior to use a custom directory - for example, on a different volume, or which is not world-readable.

On Mac OS X, you may find that the default temporary file location is sometimes cleared following system hibernation, causing Burp to lose its temporary files. You can resolve this problem by configuring a custom location for Burp to store its temporary files.

Changes to this setting take effect the next time Burp starts up.

Performance feedback

You can help improve Burp by submitting anonymous feedback about Burp's performance.

Feedback only contains technical information about Burp's internal functioning, and does not identify you in any way. If you do report a bug, you can help us diagnose any problems that your instance of Burp has encountered by including your debug ID.