How to scan applications with multiple login URLs or regions

Last updated: August 1, 2025

Astra's scanner uses a login recording to authenticate into your application before scanning. If your application has multiple login flows or serves different experiences behind different URLs, it's important to understand how to configure it correctly for comprehensive coverage.

Problem

You may find that only part of your application is being scanned, even though you've configured multiple user roles or expected broader coverage.

This usually happens when:

  • The base domain appears the same (e.g., example.com)

  • But different parts of the application (e.g., /dashboard/blog/admin) have different login flows or authentication behaviors

In such cases, uploading just one login recording may not be enough.

Why This Happens

Astra’s scanner is designed around the principle that:

  • 1 Target = 1 Login Recording

  • If different parts of your application use different login URLs or mechanisms, they must be handled separately

Even if the base domain is shared, the scanner treats distinct login experiences or functional areas as independent applications.

Examples include:

  • Region-based variations (e.g., example.com?region=eu)

  • Separate products or modules under the same domain (e.g., example.com/blog vs. example.com/dashboard)

  • Distinct authentication portals (e.g., /admin/login vs. /user/login)

When to Use Separate Targets

You should create separate targets if:

  • The login URL changes (not just the post-login navigation)

  • A different authentication mechanism or user role is used

  • Logging in through one flow does not provide access to the other part of the application

Real-World Examples

Application Section

Login URL

Configuration

Admin Portal

https://example.com/admin/login

Target A + Admin Login Recording

User Dashboard

https://example.com/login

Target B + User Login Recording

Region-Specific App

https://example.com?region=na

Target C + NA Login Recording

In all the above cases, while the FQDN (Fully Qualified Domain Name) might look the same, the scanner treats each as a separate target due to different login behaviors.

Why Separate Targets Are Important Beyond Just Login

Even if the login flows appear similar or share the same base domain, the data and functionality served by each path, region, or environment can differ significantly.

Key reasons to configure separate targets:

  • Different underlying databases: The EU and NA instances, for example, may return different data or serve different user segments.

  • Feature variations: Some features might be enabled in one instance but not in another (e.g., A/B testing, region-specific modules).

  • Permission or role behavior: A user in one environment might see different UI components, workflows, or security controls than in another.

Because Astra’s scanner interacts with your app much like a real user would, it’s important that each unique experience is captured with its own login flow and scan context. This ensures accurate vulnerability detection that reflects what your users (and attackers) actually see.

Summary

  1. Different login flows = separate targets

  2. Each target can only have one login recording

  3. Even within the same domain, if distinct sections of your app require different ways to authenticate, they must be configured as separate targets

Next Steps

  1. Identify the unique login flows in your application.

  2. For each, create a separate target in the Astra dashboard.

  3. Upload a corresponding login recording for each.

  4. Scan them individually for full coverage.

Need Help?

Unsure if your application structure requires multiple targets? Reach out to our team with details about your login flows, and we’ll help you configure everything correctly.