Skip to content

Scanning Internal Applications

You might need to identify when the request you receive is coming from the security scanner.

Use Cases

  • Disable monitoring for Escape's requests
  • Enable introspection of your server only for the security scanner on your staging environment
  • Scan internal applications

Escape Identifier

Escape's scanner sends a secure token attached to every request it sends. The header name is X-Escape-Identifier, and its value is an identification token attached to your organization.

X-Escape-Identifier: {{your-escape-identifier}}

This header allows you to detect incoming requests from the scanner and add custom handling logic.

We recommend whitelisting this secret header in your Web Application Firewall (WAF) to:

  • Avoid false positive alerts
  • Prevent blocking the detection of your attack surface

You can find this token in your Organization Settings.

Token Security

Keep this token secret. If you suspect it has been compromised, regenerate it in your organization settings using the Revoke button.

Custom Header Configuration

You can define a custom header as an alternative to the default X-Escape-Identifier header.

Go to the Authentication section of your scan configuration and add the following header authentication configuration:

presets:
  - type: headers
    users:
      - headers:
          X-MySecretHeader: my-secret-value
        username: user1

Using Private Locations

When creating a new Application from UI

When setting up a new application in Escape, choose a Private Location to enable scanning for internal applications.

When creating a new Application from CLI

See Public API Documentation for more information.

In an Existing Application

In the application’s Advanced Settings, choose a Private Location in the Network tab.