How to Set Up Burp Suite with Chrome in 2026

Written by: Abigail Ivy
Published on:

If you want to inspect, modify, and replay web traffic from Chrome, the first step is configuring Burp Suite correctly.

This guide explains how to set up Burp Suite with Chrome, trust the Burp CA certificate, and confirm that HTTPS requests are being intercepted as expected.

What Burp Suite Does in a Chrome Testing Workflow

Burp Suite, developed by PortSwigger, acts as an intercepting proxy between your browser and the target application.

When Chrome sends a request, Burp can capture it, letting you analyze headers, cookies, parameters, sessions, and responses before they reach the server or browser.

This setup is essential for web application security testing, vulnerability research, and debugging modern applications that rely heavily on HTTPS, APIs, and authentication flows.

Chrome is a common choice because it is widely used, supports modern TLS standards, and works well with Burp when configured properly.

Prerequisites Before You Start

Before you connect Chrome to Burp Suite, make sure you have the following in place:

  • Burp Suite Community Edition or Burp Suite Professional installed
  • Google Chrome installed and updated
  • Permission to test the target site or application
  • A clean browser profile if you want to avoid extension conflicts

If you are testing a local environment, confirm that the target application is reachable from your machine.

For remote sites, remember that Burp will only see traffic from the browser profile configured to use the proxy.

How to Set Up Burp Suite with Chrome

1. Start Burp Suite and confirm the proxy listener

Open Burp Suite and go to the Proxy settings.

By default, Burp listens on 127.0.0.1:8080, which is the standard loopback address and port used for local interception.

In most cases, you can leave the default listener unchanged.

If another application is already using port 8080, choose a different local port and note it for the Chrome proxy configuration.

2. Configure Chrome to use Burp as the proxy

Chrome itself does not provide a detailed built-in proxy UI on every platform, so the proxy is usually set at the operating system level or through a browser launch profile.

On Windows, macOS, and Linux, Chrome typically inherits the system proxy settings.

Set the HTTP and HTTPS proxy to 127.0.0.1 and port 8080, or match the listener you configured in Burp.

If you are using a separate testing profile, keep it isolated so normal browsing is not affected.

In many lab environments, testers launch Chrome with proxy flags or use a dedicated proxy-switching extension.

However, the cleanest approach for reliability is a dedicated browser profile pointed at Burp’s listener.

3. Verify that traffic reaches Burp

After configuring the proxy, open Chrome and visit a plain HTTP site or a known test endpoint.

In Burp Suite, go to the Proxy tab and check the Intercept or HTTP history views.

If the browser is correctly routed through Burp, you should see requests appear in Burp almost immediately.

If nothing shows up, the proxy settings, port number, or listener address usually need to be checked first.

Install the Burp CA Certificate in Chrome

Chrome will block or warn about HTTPS traffic unless it trusts Burp’s certificate authority.

Burp generates its own CA certificate, which allows it to decrypt and re-encrypt HTTPS sessions for inspection.

Download the CA certificate from Burp

With Burp running and Chrome pointed at the proxy, navigate in Chrome to http://burp.

This special hostname opens Burp’s built-in page, where you can download the CA certificate.

Download the certificate in the format recommended for your platform.

On many systems, the certificate can be saved and then imported into the operating system’s trusted root store.

Trust the certificate on your operating system

Chrome relies heavily on the OS trust store, so the Burp CA certificate often must be installed at the system level rather than only inside the browser.

Import the certificate as a trusted root certificate authority.

The exact steps vary by operating system:

  • Windows: import the certificate into the Trusted Root Certification Authorities store
  • macOS: add it to Keychain Access and set it to always trust
  • Linux: install it into the appropriate system or browser trust store, depending on distribution and browser packaging

Once trusted, Chrome should stop showing certificate warnings for sites intercepted by Burp, as long as the proxy is active and the site is reachable.

Confirm HTTPS Interception Works Correctly

Open a secure site such as a major HTTPS domain and watch Burp’s HTTP history.

If the setup is working, you will see the full request and response flow, including TLS-encrypted traffic decrypted by Burp after certificate trust is established.

To test more precisely, load a login page or submit a simple form.

Burp should record the request method, path, query string, cookies, and any form parameters.

This is where tools like Repeater, Intruder, and the built-in message editor become useful for analysis.

Common signs of a successful setup

  • Chrome loads pages without certificate errors
  • Requests appear in Burp’s HTTP history
  • HTTPS domains can be inspected in cleartext within Burp
  • Burp can intercept, forward, drop, and modify requests

Common Problems When Using Burp Suite with Chrome

Chrome shows certificate warnings

This usually means the Burp CA certificate is not trusted by the operating system, or Chrome is using a different profile or trust store than expected.

Reinstall the certificate and ensure you imported the correct Burp-generated CA file.

No traffic appears in Burp

If Burp stays empty, the proxy listener may not match the browser proxy, or Chrome may be bypassing the system proxy.

Check that the listener is active on the expected address and port, and confirm that no VPN, security software, or browser setting is overriding it.

Some sites do not load properly

Modern sites may depend on HTTP/2, WebSockets, or JavaScript-heavy front ends.

Burp supports these protocols, but extensions, anti-bot protections, or strict certificate pinning can still interfere with testing.

In those cases, you may need to adjust scope, test with a fresh profile, or use Burp-specific browser settings.

Burp intercepts too much traffic

If you only want to monitor certain hosts, configure scope rules in Burp Suite.

Then use the option to filter or restrict interception to in-scope URLs.

This keeps your workflow manageable and reduces noise in the history log.

Best Practices for a Stable Chrome and Burp Setup

A reliable interception setup is easier to maintain when you keep browser usage intentional and isolated.

Security teams often create a dedicated Chrome profile for testing, separate from personal browsing, bookmarks, and extensions.

  • Use a dedicated Chrome profile for security testing
  • Keep Burp Suite updated to match modern web standards
  • Limit interception to in-scope targets when possible
  • Review cookies, headers, and tokens carefully before modifying requests
  • Document your proxy and certificate configuration for repeatability

If you regularly test authenticated applications, pay attention to session handling, SameSite cookies, and token refresh behavior.

These details can affect whether Burp captures the exact request sequence you need.

When to Use a Separate Browser or VM

For sensitive assessments, many testers run Chrome inside a virtual machine or isolated lab environment.

This helps prevent trusted certificates, proxy settings, and test cookies from affecting the host operating system.

A separate VM is especially helpful when working on multiple client environments, handling high-risk payload testing, or verifying how an application behaves under different browser states.

It also makes it easier to reset the environment if certificate stores or profiles become cluttered.

Quick Checklist for a Working Setup

  • Burp Suite is running with an active proxy listener
  • Chrome is configured to send traffic through 127.0.0.1:8080 or your chosen port
  • The Burp CA certificate is installed and trusted by the OS
  • HTTPS pages load without warnings
  • Requests appear in Burp’s HTTP history
  • Scope and interception rules are configured for your target

Once these checks pass, you have a dependable foundation for testing authentication flows, API calls, client-side input handling, and other browser-originated traffic through Burp Suite and Chrome.