Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.hackgate.io/llms.txt

Use this file to discover all available pages before exploring further.

Block rules let you define which URL paths are off-limits during a testing engagement. When a researcher sends a request matching a block rule, the proxy returns the configured HTTP status code instead of forwarding the request to your origin.

Block rule structure

Each rule in the block list is a JSON object with the following fields:
FieldTypeRequiredDescription
PathPrefixstringYesURL path prefix to match. Must start with /.
Methodsarray of stringsNoHTTP methods to match. Use ["*"] for all methods. Defaults to ["*"].
StatusintegerYesHTTP status code to return (100–599).
EnabledbooleanYesWhether this rule is active.

View current block rules

Retrieve the current block rules for a site: 
curl https://admin.hackgate.io/api/sites/<site-id>/blocklist \
  -H "Authorization: Bearer <your-token>"

{
  "blockListJson": "[{\"PathPrefix\":\"/admin\",\"Methods\":[\"*\"],\"Status\":403,\"Enabled\":true}]"
}

Update block rules

The blockListJson field is a JSON-encoded string containing an array of block rule objects. To update the rules, POST the full array: 
curl -X POST https://admin.hackgate.io/api/sites/blocklist \
  -H "Authorization: Bearer <your-token>" \
  -H "Content-Type: application/json" \
  -d '{
    "siteId": "<site-id>",
    "blockListJson": "[{\"PathPrefix\":\"/admin\",\"Methods\":[\"GET\",\"POST\"],\"Status\":403,\"Enabled\":true},{\"PathPrefix\":\"/internal\",\"Methods\":[\"*\"],\"Status\":404,\"Enabled\":true}]"
  }'

Common examples

[
  {
    "PathPrefix": "/admin",
    "Methods": ["*"],
    "Status": 403,
    "Enabled": true
  }
]

Clear all block rules

To remove all block rules, set blockListJson to an empty array: 
curl -X POST https://admin.hackgate.io/api/sites/blocklist \
  -H "Authorization: Bearer <your-token>" \
  -H "Content-Type: application/json" \
  -d '{"siteId": "<site-id>", "blockListJson": "[]"}'
Disabled rules (Enabled: false) are stored but not enforced by the proxy. Only enabled rules actively block traffic.
PathPrefix must start with /. A PathPrefix of /admin matches /admin, /admin/users, /admin/settings, and any other path beginning with /admin.
Last modified on May 9, 2026