Home Web application scanning How to add header-based authentication

How to add header-based authentication

Last updated on Aug 07, 2025

Configuring Session Cookie Authentication for a Web Application Scanner

When you configure a web application scanner to use header authentication, you're essentially providing it with a key to an already open door. You don't need to teach the scanner how to log in; you just give it the proof of a successful login. Here's a step-by-step guide to configuring this:

Get the Authentication header

The first step is to get the specific header that the web application uses to authenticate requests. This is typically done after a successful login.

  1. Log in Manually: Log into the web application using your browser as you normally would.

  2. Open Developer Tools: Use your browser's developer tools (often by pressing F12 or Ctrl+Shift+I) to inspect network requests.

  3. Inspect a Protected Request: Navigate to a page that requires authentication. In the network tab of the developer tools, select the request for that page.

  4. Find the Header: In the request details, look for the headers section. The authentication token is often found in a header like Authorization , which might contain a value like Bearer <token>, or a custom header defined by the application. Copy the entire header, including the name and its value (e.g., Authorization: Bearer abc123xyz).

Adding authentication to a new target

  1. Click add target and select a web application scan, then click next.

  2. Add your target address and other details, then check "Add authentication method".

  3. Select session cookie based authentication

  4. Now you can configure your authentication details

    1. 1. Entrypoint URL This remains the same. It's the URL the scanner first visits. It should be a page that's only accessible after a user has authenticated.

      2. Header Name and Value Instead of a "cookie name and value," you'll provide the header name and its value. The header name is typically Authorization, and the value is the authentication token. For example, the full header might look like Authorization: Bearer A1B2C3D4E5F6. In this case, Authorization is the name, and Bearer A1B2C3D4E5F6 is the value.

      3. Logged In Pattern This is the same as before. It's the text or pattern the scanner looks for to confirm the session is active. It ensures the token is working as expected.

  5. After filling in all the required fields (marked with an asterisk), you can click Submit to save this authentication configuration for the scan target. The web application scanner will then use this information to authenticate itself before it begins crawling and scanning the application.