Configuration
This page covers the configuration options available for API Security Testing, including authentication, scheduling, and rate limiting.
Authentication
Configuring authentication is essential for testing protected endpoints. Without valid credentials, the scanner can only reach unauthenticated parts of your API.
Supported Authentication Methods
| Method | How to configure |
|---|---|
| OAuth 2.0 | Provide the token endpoint URL, client ID, client secret, and required scopes. The scanner automatically obtains and refreshes tokens during the scan. |
| Basic Auth | Provide a username and password. The scanner sends these as a Base64-encoded Authorization header. |
| API Key | Provide the header name (for example, X-API-Key or Authorization) and the key value. The scanner includes this header in every request. |
Authentication Tips
- Use credentials with sufficient permissions to access all endpoints you want tested. A read-only API key will miss vulnerabilities in write operations.
- If your API uses short-lived tokens, configure OAuth 2.0 so the scanner can refresh tokens automatically.
- Test your credentials manually before starting a scan to confirm they work as expected.
Scheduling
You can run API scans on demand or schedule them to run automatically.
On-Demand Scans
Click Start Scan on any scan profile to run an immediate scan. This is useful for one-time assessments or testing after a specific deployment.
Scheduled Scans
To set up a recurring schedule:
- Open the scan profile you want to schedule.
- Click Schedule.
- Select a frequency: daily, weekly, or monthly.
- Choose the preferred start time.
- Save the schedule.
Scheduled scans benefit from payload rotation, where each run tests different payload variations, expanding coverage over time.
Rate Limiting
Rate limiting controls how many requests per second the scanner sends to your API. This prevents the scan from overwhelming your API or triggering rate-limiting defenses.
- Default behavior: The scanner adjusts its request rate based on your API’s responses. If it detects throttling (HTTP 429 responses), it automatically slows down.
- Custom limits: You can set a maximum requests-per-second limit in the scan profile configuration.
Setting rate limits too low extends scan duration. Setting them too high may affect your API’s performance or trigger defensive measures.
Scan Duration
Scan duration depends on several factors:
| Factor | Impact |
|---|---|
| Number of endpoints | More endpoints means more payloads to send |
| Rate limiting | Lower limits extend scan time |
| API response time | Slow APIs take longer to scan |
| Payload depth | More thorough testing takes more time |
Typical scans complete in 5 to 30+ minutes. Large APIs with hundreds of endpoints and strict rate limits may take longer.
Scan Scope
By default, every endpoint in your OpenAPI spec is included in the scan. You can narrow the scope by:
- Excluding specific paths or operations
- Limiting the scan to specific HTTP methods
- Focusing on endpoints that have changed since the last scan