How to verify a scan target

This article explains why it is essential to verify your website how to verify a scan target, and we show common troubleshooting steps.

Why Is The Verification Required to Start The Full Scan?

The verification is required to confirm the ownership of the website (scan target). Since the full scanner is an invasive scan, it cannot be run until it is certain that you are the owner of the website or that it is the website of one of your customers.

This HTML file is just a hash key file. The scanner reads it to find a match, and only after that can the scanner start scanning. 

There are four ways to verify your scan target:

  • Via File Upload
  • Using API Endpoints
  • DNS Verification
  • Manual Verification
Below are the steps and conditions for these four verification processes and some standard troubleshooting methods.

Verification via File Upload

Please execute the following steps to complete the verification of the scan target.
  1. Please download your verification file, which contains your confirmation code.
  2. Place the file in the root directory of your scan targets web server. For example, the file should be reachable via:
  3. Leave the file at this location. The file is checked before each security scan.
  4. Click the "Verify" button to start the verification.

Verification via API Endpoints

To verify using API endpoints, update your API to include any of the following GET statements:

Any API endpoints listed above should return the scan target verification hash. 

Verification via DNS Record 

To verify using a DNS record, create a TXT record under the target's domain and set the verification hash as a value. 

Manual Verification via Customer Support

Get in touch with our customer support if the automatic verification options are not possible for you. This feature is usually available to our Professional plan subscribers, but in some cases, we do a review and help you verify your scan target manually in some cases.

What should I do when I receive the Error Message: "Failed to verify the scan targets"?

First, check if the verification file has been uploaded correctly. If this is not the case, make sure the website is accessible to the scanner by the following:

  • The website should be publicly accessible.
  • If protected by a firewall, please ensure that our IP Addresses are whitelisted (check the IP addresses provided there).
  • The credentials must be first configured when the application has an HTTP Basic Authentication.

How should I interpret the error messages during my scans, and what should I do?

If the scan configuration is not done correctly, or there is a problem with one of the scanners, you will receive an error message while the scan runs or after it finishes. In this wiki article, you can find a detailed list of possible error names that can be returned, along with suggestions for the following steps to take to try and complete the scan.