Creating a Scan¶
Prerequisites¶
- At least one verified domain. If you don't have one, add and verify a domain first.
- Available scan quota (daily and weekly limits depend on your plan).
Steps¶
- On the Scans page, click New Scan.
- Configure the scan:
Scan Configuration¶
| Field | Required | Default | Description |
|---|---|---|---|
| Domain | Yes | — | Select a verified domain from the dropdown |
| Path | No | / |
The starting path under the domain (e.g. /app, /api/v1) |
| Scan Types | Yes (≥1) | All selected | Choose which security modules to run (see Scan Modules) |
| Bearer Token | No | — | A JWT or API token for scanning authenticated endpoints |
| Custom Headers | No | — | Key-value pairs added to every HTTP request (up to 10, requires plan support) |
| Skip Paths | No | — | Paths to exclude from scanning (e.g. /logout, /admin) |
| Max Pages | Yes | 50 | Maximum number of pages to crawl (capped by your plan) |
| Max Depth | Yes | 3 | Maximum crawl depth from the start path (capped by your plan) |
Scan Types (Modules)¶
Select one or more modules to run. All are enabled by default:
| Module | What It Tests |
|---|---|
| Crawler | Discovers pages, endpoints, forms, and JavaScript files |
| SQL Injection | Tests for SQL injection in parameters, headers, and API endpoints |
| XSS | Tests for reflected XSS, DOM-based XSS, and template injection |
| JWT Analysis | Tests for JWT algorithm attacks, weak secrets, and role escalation |
| Authentication | Tests default credentials, CORS, IDOR, CSRF, and rate limiting |
| Security Headers | Checks for missing or misconfigured HTTP security headers |
| Data Exposure | Tests NoSQL injection, mass assignment, file upload, and path traversal |
| SSRF | Tests for SSRF, cloud metadata access, and command injection |
| Fuzzing | Directory brute-forcing, HTTP method testing, XXE, and external tool integration |
Bearer Token¶
If your application requires authentication, provide a valid Bearer token. The token is:
- Stored temporarily in Redis during the scan
- Never persisted in the database
- Deleted automatically after the scan completes
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
Custom Headers¶
Plan Feature
Custom headers are only available on plans that include this feature. If your plan does not support custom headers, the section will not appear in the scan form. Contact your administrator or upgrade your plan for access.
Custom headers let you attach additional HTTP headers to every request the scanner makes — across all modules (crawler, SQL injection, XSS, etc.). This is useful when your application requires:
- API keys sent via a header (e.g.
X-Api-Key) - Custom authentication schemes (e.g.
X-Auth-Token) - Tenant identifiers for multi-tenant applications (e.g.
X-Tenant-ID) - Feature flags or environment selectors (e.g.
X-Environment: staging)
Adding Headers¶
- Click the + Add Header button in the Custom Headers section.
- Enter the header name (e.g.
X-Api-Key) and header value (e.g.your-api-key-here). - Repeat to add more headers (up to 10 per scan).
- To remove a header, click the trash icon next to it.
Limits¶
- Maximum of 10 custom headers per scan.
- Header names must not be empty.
- Both header names and values must be text strings.
Security¶
Ephemeral — never saved
Custom headers are never persisted in the database or written to disk. They exist only for the duration of your scan and are automatically deleted the moment the scan finishes (whether it succeeds or fails). You will need to re-enter them for each new scan.
- Held temporarily in an encrypted in-memory store (Redis) while the scan is running
- Never saved to the database, logs, or scan history
- Automatically deleted immediately after the scan completes or fails
- Not included when you re-run a previous scan — you must re-enter them each time
Skip Paths¶
Use skip paths to exclude URLs you don't want the scanner to visit (e.g. logout endpoints that would invalidate your session token).
- Type a path and press Enter or click Add
- Paths appear as removable pills
- Paths are relative to the target URL (e.g.
/logout,/admin/reset) - A leading
/is added automatically if missing
Plan Limits¶
The scan modal shows your current usage:
- Daily scans used vs limit (includes deleted scans)
- Weekly scans used vs limit (includes deleted scans)
-
Max pages and Max depth capped by your plan
-
Click Start Scan.
After Launching¶
The scan enters the Queued state. You can monitor its progress on the Scan Detail page, which auto-refreshes every 5 seconds while the scan is queued or running.
If there are other scans ahead of yours, you'll see your queue position and an estimated wait time.