An allowlist is a security control that permits only approved sources, commands, users, file paths, or destinations and blocks everything else by default. In practice, it flips the normal trust model: instead of trying to blacklist every bad thing, defenders define the small set of known-good things that are allowed to run, connect, or be installed.
Allowlists matter because they reduce attack surface and limit what an attacker can do after gaining access. They are common in application control, network filtering, email security, and software supply-chain defenses. For example, a package manager can allow only registry downloads while rejecting Git URLs, local directories, or remote tarballs unless those sources are explicitly approved. Attackers often try to bypass loose controls by using unexpected paths, alternate protocols, or living-off-the-land commands; an allowlist blocks those routes unless they are already trusted.