What This Article Covers

This guide walks you through the configuration process for Astra’s vulnerability scanner on web applications — from setting the scan scope to enabling login authentication. Proper configuration ensures maximum vulnerability coverage with minimal noise.

Who Should Read This

Security engineers, DevOps, and developers setting up web application scans. Access to the Astra dashboard and knowledge of your app's architecture and authentication are required.

Why This Matters

Accurate configuration allows the scanner to explore the entire attack surface, including authenticated areas, and reduces false positives by targeting only what matters.

Pre-requisites (For Pentest/Manual Scan)

Before starting the setup, ensure the following details are available :

Mandatory:

• Scope URL
  Share a non-production environment URL (preferably QA or Staging) for testing.

• User Roles & Credentials
  Provide login credentials for all relevant user roles (e.g., admin, user, etc.).
  It’s recommended to create temporary accounts, as test data may be added.

• Requirements for the Automated Scanner
  Astra’s automated scanner is the first step in your Pentest journey. As soon as the scan begins, results start appearing in real time. You can refer to the step-by-step guide below to set it up.

• OTP / Authenticator Flows
  For apps using OTPs, magic links, or authenticator apps:

  Ideally, provide a static OTP or a bypass mechanism.
  This ensures seamless authenticated scanning.

• API Integration (If Applicable)

  • Base URL of your API

  • OpenAPI Specification (JSON/YAML) to improve crawl coverage (optional but highly recommended)

Step-by-Step Configuration

Step 1: Access the Scanner Setup

1. Go to the Targets page on the Astra dashboard.

2. Click on the Setup Target button next to the target you wish to configure.

3. You'll now enter the setup wizard where you define your scan configuration.

Breakdown of This Step:

Define the Target URL & Scope of the Scan

To avoid scanning unnecessary third-party services, specify the scope precisely.

• Target URL: The base domain or path (e.g., https://app.example.com)

• Scope: Limits the scan to certain subdomains or URI paths

Learn how to configure scope
Choosing between production vs staging environments

Configure Subdomain Crawling

Decide how much of your domain tree should be explored:

• All Subdomains: Includes app.example.com, api.example.com, etc.

• Target Subdomains Only: Restricts to the exact domain/subdomain you enter

• Starting with URI: Limits crawl to paths starting with e.g., /admin

Add Additional Hosts

If your app uses other hostnames (CDNs, microservices, external APIs), add them here so they’re included in the scan.

Step 2: API Scanning

Enhance scanner coverage by:

• Allowing it to crawl APIs and subdomains

• Uploading an OpenAPI Spec (JSON/YAML) for deeper and faster endpoint discovery

Step 3: User Roles

If your application requires login:

• Create accounts for each user role (e.g., Admin, User, Manager)

• Provide the credentials during setup

Create temporary accounts to avoid unwanted data in production

Step 4: Login Recording

Use Chrome DevTools Recorder to capture the login process:

• Helps the scanner authenticate into your app

• Set session timeout (in seconds) so it reauthenticates as needed

Step 5: Optimize Tech Stack

Select technologies your app uses to:

• Improve vulnerability detection accuracy

• Reduce false positives

• Speed up scan duration

Supported stack options include frameworks (React, Django), languages, CMSs, etc.

Step 6: Add Application Details

Give a brief overview of your app’s purpose and key features:

Example: A SaaS app for booking appointments online. Users can view availability, schedule, and pay through the portal. Built with Vue.js frontend and Node.js backend.

This context helps Astra create business logic test cases during manual testing.

Step 7: Advanced Settings

Customize the scan further:

• HTTP Headers: Add custom headers if needed (e.g., tokens, cookies)

• Exclude URLs: Use keyword match or regex to skip sensitive or irrelevant pages

Step 8: Complete Setup

Review your configuration. Once satisfied, click Complete Setup.

⚠ Any config changes made mid-scan will only apply to the next scan.

Need Help?

Reach out to our support team via the dashboard or submit a ticket if you face issues during setup.