CodeClarityLab / Glossary
Ctrl K
← CodeClarityLab Home
Browse by Category
+ added · updated 7d
⚖ Terms of Use
← Back to glossary

Allowlist vs Blocklist

general PHP 5.0+ Beginner

Also Known As

whitelist vs blacklist allowlist blocklist permit list deny list

TL;DR

Allowlists define what is permitted; blocklists define what is forbidden. Allowlists are always more secure.

Explanation

A blocklist (blacklist) attempts to enumerate known bad inputs and reject them. It will always be incomplete — attackers find encodings, bypasses, and new attack vectors that were not anticipated. An allowlist (whitelist) defines exactly what is acceptable and rejects everything else. Allowlists are inherently more secure because you control the entire space of valid input. When validating file extensions, redirect targets, HTML tags, or system commands — always use an allowlist.

Diagram 

flowchart TD
    INPUT[User Input] --> APPROACH{Validation approach}
    APPROACH -->|Blocklist| BLOCK_LIST[Check against known bad<br/>reject blacklisted values]
    APPROACH -->|Allowlist| ALLOW_LIST[Check against known good<br/>reject anything not in list]
    BLOCK_LIST --> BYPASS[Attacker finds bypass<br/>new attack vector not in list]
    ALLOW_LIST --> SAFE2[Only known safe values pass<br/>unknown input rejected by default]
    subgraph Examples
        BL_EX[Blocklist: remove script tags<br/>attacker uses SVG onload]
        AL_EX[Allowlist: only accept a b p tags<br/>anything else rejected]
    end
style BLOCK_LIST fill:#f85149,color:#fff
style ALLOW_LIST fill:#238636,color:#fff
style BYPASS fill:#f85149,color:#fff
style SAFE2 fill:#238636,color:#fff

Common Misconception

A blocklist is as secure as an allowlist for input validation. Blocklists require anticipating every possible malicious input — attackers find new bypasses faster than lists are updated. Allowlists define exactly what is permitted and reject everything else, making them structurally more secure.

Why It Matters

Allowlists define what is permitted and reject everything else — blocklists define what is forbidden and allow everything else. Allowlists are always more secure because attackers only need to find one missing blocklist entry.

Common Mistakes

  • Using a blocklist for file upload validation — attackers find file types not on the list.
  • Allowlists that are too broad — 'any image type' vs 'jpeg, png, gif specifically'.
  • Not normalising input before allowlist checking — %2e%2e%2f passes a check for '../'.
  • Blocklisting user-agent or IP ranges for security — too easy to spoof or rotate.

Avoid When

  • Blocklist-only input validation for security-critical paths — attackers find bypasses; allowlists are safer.
  • Allowlists so strict they break legitimate input — test with real-world edge cases before deploying.
  • Maintaining a blocklist of known-bad values for SQL injection or XSS — use parameterised queries and output encoding instead.

When To Use

  • Always prefer allowlists for security validation — define what is allowed, reject everything else.
  • Blocklists for UX filtering like profanity or spam signals — correctness matters less than security here.
  • Allowlists for file upload MIME types and extensions — never trust user-supplied content type alone.
  • Allowlists for redirect URLs — open redirect vulnerabilities arise from blocklist-only approaches.

Code Examples

✗ Vulnerable 
// Blocklist — attacker uploads .php7, .phtml, .phar:
$blocked = ['php', 'exe', 'sh'];
$ext = strtolower(pathinfo($filename, PATHINFO_EXTENSION));
if (in_array($ext, $blocked)) die('Blocked');

// Allowlist — only explicitly permitted:
$allowed = ['jpg', 'jpeg', 'png', 'gif'];
if (!in_array($ext, $allowed)) die('Not allowed');
✓ Fixed 
// Allowlist — permit known-good; deny everything else (safer)
\$allowed = ['jpeg', 'png', 'webp', 'gif'];
\$ext     = strtolower(pathinfo(\$_FILES['img']['name'], PATHINFO_EXTENSION));
if (!in_array(\$ext, \$allowed, true)) abort(415);

// Blocklist — deny known-bad; allow everything else (fragile)
\$blocked = ['php', 'php3', 'php4', 'phtml', 'phar'];
// Attackers find new extensions you forgot to block (.php5, .shtml)

// Always prefer allowlists for:
// - File extensions, MIME types
// - Redirect URLs (domain allowlist)
// - HTML attributes (HTMLPurifier allowlist)
// - User roles, permissions

// Blocklists for:
// - WAF rule augmentation (block known attack patterns)
// - IP reputation (block known-bad IPs)
// — but never as the only defence
Added 15 Mar 2026
Edited 25 Mar 2026
Views 29

Curated in Warsaw under one editorial standard. 1,444 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
0 pings W 0 pings T 1 ping F 0 pings S 1 ping S 0 pings M 0 pings T 0 pings W 1 ping T 2 pings F 0 pings S 1 ping S 0 pings M 0 pings T 0 pings W 0 pings T 2 pings F 0 pings S 0 pings S 0 pings M 0 pings T 0 pings W 1 ping T 1 ping F 0 pings S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T
Agents 0
No pings yet today
No pings yesterday
Perplexity 8 Amazonbot 6 Ahrefs 3 Unknown AI 3 Google 2 SEMrush 1 ChatGPT 1
Also referenced
Input Validation vs Output Encoding 32 Arbitrary File Upload 27 Command Injection 26 Open Redirect 17
How they use it
crawler 22 crawler_json 1 pre-tracking 1
Related categories
security 4k general 1.4k
DEV INTEL Tools & Severity
🟠 High ⚙ Fix effort: Low
⚡ Quick Fix
Use allowlists (define what IS permitted) not blocklists (define what is NOT) — attackers always find values you forgot to block
📦 Applies To
PHP 5.0+ web api cli
🔗 Prerequisites
🔍 Detection Hints
Blocklist pattern: strpos($input,'script') or preg_replace blocking specific patterns instead of allowlisting format
Auto-detectable: ✓ Yes semgrep
⚠ Related Problems
🤖 AI Agent
Confidence: High False Positives: Medium ✗ Manual fix Fix: Medium Context: Function Tests: Update
CWE-183 CWE-184
✓ schema.org compliant