How-To: Scanning Applications with Multiple Login URLs or Regions

Last updated: May 29, 2026

Introduction

To ensure your security scan provides total coverage, it is important to configure applications with multiple authentication entry points correctly. Astra’s scanner operates on the principle that one target equals one login recording. If different parts of your application require distinct login flows, they must be handled as independent targets to ensure the scanner can access every restricted area. You may find that only a portion of your application is scanned if different sections (such as /admin vs. /dashboard) or different regions (such as example.com?region=eu vs. example.com?region=na) have unique authentication behaviors. Because Astra’s scanner interacts with your app like a real user, it requires a dedicated login flow for each unique experience to accurately detect vulnerabilities.

Prerequisites

An active Astra Dashboard account.
A list of all unique Login URLs or regional entry points.
Valid credentials for each specific user role or region you intend to scan.

Instructions

1. Identify Unique Login Flows

Review your application to determine where the authentication mechanism changes. You should create separate targets if:

The Login URL changes (e.g., /admin/login vs. /user/login).
A different authentication mechanism or user role is used.
Logging into one section does not provide access to other parts of the application.

2. Create Separate Targets

For each unique login flow identified, navigate to the Targets page and click Add Target to create a new entry.

Target A: Setup for the Admin Portal (e.g., https://example.com/admin/login).
Target B: Setup for the User Dashboard (e.g., https://example.com/login).
Target C: Setup for Region-Specific access (e.g., https://example.com?region=na).

3. Record and Upload Login Sequences

For each target created, use the Chrome DevTools recorder to capture the specific login sequence.

Export each recording as a Puppeteer JSON file.
Upload the corresponding file to the respective target's settings under Step 4: Login Recording.

4. Initiate Individual Scans

Once each target is configured with its own login recording, trigger the scans individually. This ensures that the scanner uses the correct authentication context for each specific section or region of your application.

Expected Outcome

By segmenting your application into separate targets, you ensure that each unique experience is captured with its own scan context. This provides accurate vulnerability detection that reflects the different data, features, and security controls served by each specific path or region.

Troubleshooting

Same Domain Issues: Even if the FQDN (Fully Qualified Domain Name) is identical, if the login behavior differs, the scanner must treat them as separate entities.
Data Differences: If different regions return different data segments or have feature variations (like A/B testing), separate targets are essential for a complete assessment.
Further Assistance: If you are unsure if your application structure requires multiple targets, please reach out to our team with details about your login flows for configuration help.