Scanning Internal Applications¶
You might need to identify when the request you receive is coming from the security scanner.
Use Cases¶
- Disable monitoring for Escape's requests
- Enable introspection of your server only for the security scanner on your staging environment
- Scan internal applications
Escape Identifier¶
Escape's scanner sends a secure token attached to every request it sends. The header name is X-Escape-Identifier
, and its value is an identification token attached to your organization.
This header allows you to detect incoming requests from the scanner and add custom handling logic.
We recommend whitelisting this secret header in your Web Application Firewall (WAF) to:
- Avoid false positive alerts
- Prevent blocking the detection of your attack surface
You can find this token in your Organization Settings.
Token Security
Keep this token secret. If you suspect it has been compromised, regenerate it in your organization settings using the Revoke
button.
Custom Header Configuration¶
You can define a custom header as an alternative to the default X-Escape-Identifier
header.
Go to the Authentication section of your scan configuration and add the following header authentication configuration:
Using Private Locations¶
When creating a new Application from UI¶
When setting up a new application in Escape, choose a Private Location to enable scanning for internal applications.
When creating a new Application from CLI¶
See Public API Documentation for more information.
In an Existing Application¶
In the application’s Advanced Settings, choose a Private Location in the Network tab.