All Collections
Web-application scanning
FAQs
Capabilities and constraints of the authenticated web-app scanner
Capabilities and constraints of the authenticated web-app scanner

Understand what you can, can't, should and shouldn't do with authenticated web-app scanning

Joe Haigh avatar
Written by Joe Haigh
Updated over a week ago

Minimising risk

  • We'd advise against adding admin credentials, as explained in this article.

  • Whilst the scanner can run safely on many production websites, it's usually best to stick to staging to reduce the chance of damage.

⚠️ Authentication licenses are per Fully Qualified Domain Name (FQDN) or IP Address, and you can add as many authentications to one target as you wish.


How to add apps using advanced authentication methods

If your app uses single-sign-on, multi-factor authentication, or has complex authentication flows, take a look at our article below:

How to customize the scope of the scan

By default, our scanners will attempt to find all scannable pages on your app. If you wish to set up the authentication of your scan to modify the scope, then take a look at our article here:

Did this answer your question?