Many web applications use CAPTCHA services like Google reCAPTCHA or hCaptcha to block automated activity. While this helps prevent abuse, it can interfere with automated security scans, leading to incomplete results or missed vulnerabilities.

To enable effective scanning by Astra, we recommend allowlisting our scanner IPs within your CAPTCHA configuration.

Why CAPTCHA blocks security scanners

CAPTCHA solutions are designed to stop automated bots. Since security scanners simulate automated activity to probe your application, CAPTCHA may block or interrupt these requests, resulting in:

Incomplete scans
Missed vulnerabilities
False-negative results

To avoid this, we suggest excluding Astra’s scanner IPs from CAPTCHA challenges.

Recommended Solution: Allowlist Astra Scanner IPs

By allowlisting 📄 Astra IP Ranges, you can exempt Astra’s scanner from CAPTCHA while maintaining full protection for your regular users.

Security Note: Always ensure IP allowlisting is used only for trusted services like Astra, and keep your allowlist updated to avoid exposing your application to unwanted traffic.

Google reCAPTCHA

Google reCAPTCHA (v3 and Enterprise) supports allowlisting of IP addresses to exclude trusted sources from CAPTCHA enforcement.

Please refer to Google’s official documentation for instructions:
Allowlist IP addresses for reCAPTCHA

Once you’ve added Astra’s scanner IPs to the allowlist, CAPTCHA will no longer block or interfere with scans from our engine.

Auth0

Auth0’s Attack Protection suite includes Bot Detection, Brute-force Protection, and Suspicious IP Throttling. These features may block or challenge traffic from automated scanners like Astra’s.

To ensure uninterrupted scanning, you can allowlist Astra’s scanner IPs in Auth0.

Steps to Allowlist Scanner IPs in Auth0

Log in to the Auth0 Dashboard.
Go to Security > Attack Protection.
Select the protection feature you want to configure (e.g., Bot Detection).
Scroll to the Manage IP addresses (IP AllowList) section.
Add Astra’s scanner IP addresses or subnets.
Save your changes.

This will exempt Astra’s scanner from being flagged or blocked by Auth0’s protective mechanisms during security assessments.

Official Documentation:
Configure Bot Detection – Auth0 Docs