How to scan an unauthenticated web-app

Instructions for adding placeholder authentication so you can scan your unauthenticated web-app

Joe Haigh avatar
Written by Joe Haigh
Updated over a week ago

Our [authenticated] web-app scanner is built exclusively for web-apps and the servers that host them, focusing primarily on the web-apps' functionality and the configuration of services running on it.

What if my app doesn't require authentication?

Not to worry – you can still use the [authenticated] web-app scanner, you just need to make sure you provide placeholder authentication so the web-app scanner is activated when the scan starts.

The steps to do this can be seen below:

1. Find the target in the Targets page and click into its Target Detail Page:

2. Click the Authentications tab and click Add Authentication

3. Select Header Authentication and enter the following credentials:

  • Name: Unauthenticated

  • Entrypoint URL: The URL of the target e.g.

  • Header Name: X-Auth-Token

  • Header Value: Bearer Tm90IGEgdmFsaWQgYXV0aCB0b2tlbg==

4. Hit 'Save authentication'.

Now, whenever you kick-off a scan on this target, it will be checked for all the usual infrastructure checks conducted by the underlying scanning engine (openVAS for Essential users and Tenable for Pro, Premium and Vanguard), plus checks from our web-app scanner.

Did this answer your question?