Skip to content

Production-Safe Scanning

Production-safe scanning minimizes infrastructure impact and security alert triggering while maintaining valuable security insights. This configuration is designed to avoid overwhelming infrastructure, affecting end-user experience, or triggering WAF and SIEM alerts.

Complete Configuration

The following configuration provides a comprehensive production-safe setup:

frontend_dast:
  # Security testing constraints
  read_only: true
  security_checks_enabled:
    - PASSIVE_PAGE_CHECKS
    - NETWORK_CHECKS

  # Resource constraints
  parallel_workers: 1
  max_duration: 30
  max_requests_per_second: 2
  max_concurrent_requests: 1

  # Scanner identification
  user_agent: "EscapeSecurity-ProductionScan/1.0 (Authorized-Scan)"
  custom_headers:
    X-Security-Scanner: "Escape"
    X-Scan-Purpose: "Production-Safety-Test"

  # Scope limitations
  scope:
    pages:
      max_parameterized_url_variations: 2
      max_unique_fragments_per_page: 2

      blocklist_patterns:
        - ".*/admin/delete/.*"
        - ".*/payment/process/.*"

      blocklist_element_selectors:
        - 'button[data-action="delete"]'
        - 'button[type="submit"][class*="danger"]'
        - '[data-critical-action="true"]'

    api:
      skipped_url_patterns:
        - ".*/api/delete/.*"
        - ".*/api/admin/.*"

network:
  requests_per_second: 50
  parallel_requests: 1
  request_timeout_s: 10

Configuration Components

Security Check Selection

Security check types can be selectively enabled to balance thoroughness against production impact:

  • ACTIVE_PAGE_CHECKS: Interactive vulnerability testing (XSS, SQL injection) — highest impact
  • PASSIVE_PAGE_CHECKS: Safe analysis (DOM security, browser storage, console errors) — minimal impact
  • NETWORK_CHECKS: Infrastructure analysis (headers, cookies, SSL) — minimal impact
  • API_CHECKS: Security testing of captured API traffic — moderate impact

Read-Only Mode:

The read_only parameter disables active injection testing while preserving passive analysis capabilities:

frontend_dast:
  read_only: true  # Disables ACTIVE_PAGE_CHECKS

This mode is recommended for production environments and can be used for application structure discovery and scan configuration validation.

Explicit Check Selection:

frontend_dast:
  security_checks_enabled:
    - PASSIVE_PAGE_CHECKS
    - NETWORK_CHECKS

Rate Limiting and Traffic Control

Request rates should be constrained to minimize server load and prevent rate limiting or WAF triggers:

frontend_dast:
  max_requests_per_second: 2   # Default: 10
  max_concurrent_requests: 1   # Default: 3
  parallel_workers: 1          # Default: 3

network:
  requests_per_second: 50      # Default: 1000
  parallel_requests: 1         # Default: 10
  request_timeout_s: 10        # Default: 2

Scope Constraints

Scan duration and exploration depth should be limited to reduce system impact:

frontend_dast:
  max_duration: 30  # 30-minute scan window
  scope:
    pages:
      max_parameterized_url_variations: 2

High-Risk Area Exclusion:

Destructive operations and sensitive areas should be explicitly excluded:

frontend_dast:
  scope:
    pages:
      blocklist_patterns:
        - ".*/admin/delete/.*"
        - ".*/payment/process/.*"
        - ".*/data/export/.*"

      blocklist_element_selectors:
        - 'button[data-action="delete"]'
        - 'a[href*="/admin/"]'
        - '[data-analytics-critical="true"]'

    api:
      skipped_url_patterns:
        - ".*/api/admin/.*"
        - ".*/api/delete/.*"

Scanner Identification

Scanner requests should be identifiable for allowlisting and monitoring purposes:

frontend_dast:
  user_agent: "EscapeSecurity-ProductionScan/1.0 (Authorized-Scan)"
  custom_headers:
    X-Security-Scanner: "Escape"
    X-Scan-Purpose: "Production-Safety-Test"

Infrastructure Configuration

Firewall and Security System Preparation

Prior to production scanning, the following infrastructure configurations should be implemented:

  1. IP Allowlisting: Scanner IP addresses should be allowlisted in WAF, CDN, and firewall configurations
  2. Rate Limit Exemption: Scanner requests should be exempted from rate limiting rules when feasible
  3. SIEM Alert Suppression: Security monitoring systems should have filters configured to suppress alerts from known scanner activities

Pre-Scan Validation

Before production scan execution:

  • Configuration should be validated in staging environments
  • Scans should be scheduled during low-traffic periods
  • Application and infrastructure monitoring should be active
  • Scan termination procedures should be established

Production Scanning Risks

Production scanning carries inherent risks regardless of configuration conservativeness. Coordination with operations, security, and development teams is required before production scan execution.

Crawling Behavior

Form Input Population

Form inputs are populated during scans as part of the standard crawling process, independent of security testing configuration. For the scanner to discover pages and map application functionality, forms must be filled and submitted, multi-step forms must be progressed, and user interactions must be simulated.

Input formats are automatically detected and relevant data is generated to enable effective crawling. This behavior is distinct from the fuzzing and injection testing performed by ACTIVE_PAGE_CHECKS.

API Traffic Analysis

By default, API traffic captured during scans is analyzed and tested, including traffic generated during authentication procedures. This can occasionally disrupt authentication and create inconsistent login states.

API analysis during authentication can be disabled:

frontend_dast:
  api_checks_during_auth: false

Reference: Session Management for comprehensive authentication stability configuration.