How to add header-based authentication

Your 'how to' guide for adding Header authentication

Naomi Purvis avatar
Written by Naomi Purvis
Updated this week

⚠️ If you're thinking of an admin user when adding authentications, please read this article first: Adding an admin user when adding authentications

You can also add, view, update and delete authentications from your targets using our API. This can help if you wish to integrate vulnerability scanning as part of your CI/CD pipeline or otherwise update the authentication credentials automatically.

Selecting the authentication method

When you select Header authentication you will be presented with the following modal. Header authentications can be used to send a specific header to the endpoint with every request.

How to find the information

If you're unsure on where/how to find the information you need, please click the hyperlinks under 'Credentials' or refer to: Where to Find Required Information

Adding the credentials

Throughout this example, we will be using where we are hosting our test application, you may use a fully qualified domain name (FQDN) or IP address

In this example, we are starting our scan from the /headers/ page of our application ( Unlike form-based authentication there is no login URL, instead the headers you define are sent with every request.

In our example we specify that there is a Logout URL which we want to exclude from scanning ( If your application uses Header authentication, it's possible that you do not have a logout URL. Currently (v1.0) this field is mandatory, so you will need to provide some information here, you can set this path to something that definitely won't exist if needed to progress to the next stage.

Header name

We specify a Header Name of X-Auth-Token with the Header Value set to Bearer Tm90IGEgdmFsaWQgYXV0aCB0b2tlbg==. This is a standard bearer token which is used by many API endpoints. You can add multiple headers if you need to.

It's worth noting that the header token needs to last long enough for a scan to run – we would recommend at least a few hours, 24 hours if possible.

Where to Find Required Information

This section will explain where you can find the details that need to be entered when you're adding authentications to a target.

Entrypoint URL

The entrypoint URL tells the scanner where it should start all of it's crawling and scanning from. Most often this will be the root of your web application. Which in our example would be . Please note, the entrypoint is not a sub-path of the web app- it should end with a /, which you should include if you want the full application to be scanned.

There are times when you won't want to scan from the root of the application, instead you might want to scan a subset. For example, when you have multiple applications running on the same target, but which live at different paths. For our example:




In this case, you would want to add 3 separate authentications each using one of the paths in the list.

Logout URL

The easiest way to find this would be to login to the application and find the Logout button on your page (it may say Log Out or Sign Out or something similar). If you hover over the button you'll see the Logout URL in in the bottom of your page, you can also right click and 'Save link address', then paste into Intruder. If that doesn't work, please see our extended explanation.

Managing authentication(s)

Once you've added the authentication you should see it appear under the Authentications Tab on the Target Details page:

Did this answer your question?