search

Privacy Modes

Privacy mode controls what request/response data can leave Burp when the extension calls AI backends or returns MCP tool output.

Configure it in the Privacy & Logging tab in the Settings panel.

circle-exclamation

Default value is OFF. For real engagements, set privacy mode intentionally before sending any prompts.

hashtag
Mode Comparison

Mode
Cookies
Auth Tokens
Hostnames
Typical Use

STRICT

Stripped

Redacted

Anonymized

Cloud backends with sensitive targets.

BALANCED

Stripped

Redacted

Preserved

Mixed workflows where host context is needed.

OFF

Preserved

Preserved

Preserved

Controlled internal testing only.

hashtag
Decision Guide

hashtag
What Changes in Practice

hashtag
STRICT

  • Hostnames are replaced with deterministic pseudonyms.

  • Auth tokens are redacted.

  • Cookies are stripped.

hashtag
BALANCED

  • Hostnames stay visible.

  • Auth tokens are redacted.

  • Cookies are stripped.

hashtag
OFF

  • Raw context is eligible for transmission.

  • No automatic redaction is applied.

hashtag
Before/After Example

Raw request headers:

STRICT output:

BALANCED output:

hashtag
Important Boundaries

triangle-exclamation

Privacy mode does not prevent active scanner traffic from reaching the real target. It only controls prompt/tool data sent to AI clients.

  • BountyPrompt tag resolution runs after redaction, so tags inherit current privacy policy.

  • MCP tool responses are filtered by the same privacy mode.

  • Determinism mode and salt handling affect reproducibility and anonymization stability.

hashtag
Related Pages

PreviousActive AI ScannerNextLimitations & Hallucinations

Last updated