Skip to Content
Network SetupAllow Through WAF

Allow Through WAF

If your application is behind a Web Application Firewall (WAF) or CDN with security features, you may need to allowlist Detectify’s scanner IP addresses to ensure scans can reach your application. Without allowlisting, the WAF may block scanner traffic, resulting in incomplete scan results or false negatives.

Why Allowlisting Is Needed

WAFs are designed to block malicious-looking traffic. Since Detectify’s scanner sends security testing payloads (such as SQL injection and XSS test strings), WAFs will often detect and block this traffic. While this means your WAF is working correctly, it prevents Detectify from testing your actual application for vulnerabilities.

Allowlisting Detectify’s scanner IPs lets traffic pass through the WAF so the scanner can test your application directly.

General Approach

For any WAF or CDN provider:

  1. Get the current list of Detectify scanner IP addresses from the Scanner IP Addresses page
  2. Create an allowlist rule in your WAF that permits traffic from these IPs
  3. Scope the allowlist to only the assets you want to scan, if possible
  4. Run a test scan to verify traffic is reaching your application

Provider-Specific Instructions

Cloudflare

  1. Log in to the Cloudflare dashboard
  2. Navigate to Security > WAF > Tools
  3. Create a new IP Access Rule
  4. Enter each Detectify scanner IP address
  5. Set the action to Allow
  6. Apply the rule to the zones you want to scan

Alternatively, create a WAF custom rule that skips all WAF rules when the source IP matches Detectify’s scanner IPs.

AWS CloudFront with AWS WAF

  1. In the AWS WAF console, navigate to your Web ACL
  2. Create a new IP set containing Detectify’s scanner IP addresses
  3. Add a rule to your Web ACL that allows traffic from this IP set
  4. Position the rule before any blocking rules so it takes precedence

Akamai

  1. In the Akamai control panel, navigate to your security configuration
  2. Add Detectify’s scanner IPs to the IP allowlist
  3. Ensure the allowlist applies to the properties you want to scan

Other WAF Providers

For other WAF providers (Imperva, Fastly, Sucuri, Azure WAF, F5, and others), the process is similar:

  1. Locate the IP allowlist or bypass rule configuration
  2. Add Detectify’s scanner IP addresses
  3. Apply the rule to the relevant domains or applications
  4. Test with a scan to confirm

Security Considerations

  • Scope the allowlist narrowly. Only allowlist Detectify IPs for the specific domains or paths you want to scan, not your entire infrastructure.
  • Use the correct IP set. Detectify uses different IPs for Surface Monitoring and Application Scanning. See Scanner IP Addresses for the complete list.
  • Remove the allowlist when not needed. If you only scan periodically, consider removing the allowlist between scans.
  • Monitor for changes. Detectify may add new scanner IPs. Check the Scanner IP Addresses page periodically or subscribe to updates.
Last updated on
Network SetupHosting Provider Permissions