Configuring Header Authentication

Before following the instructions below, ensure that your application and authenticated resources are accessible to the Bright engine, either directly from the Internet or via the Repeater.

You can use the Header authentication method if the login-protected resources within the application you want to scan require one or more static header authentication tokens, which are generated outside of Bright.

📘

If an authentication token expires, the authentication object will no longer allow Bright to access the protected resources of that target.

From the Authentication type dropdown list, select Header authentication, and then add the authentication Headers.

FieldGuidelines
Merge StrategySelect whether the specified header, such as authentication cookies, must be replaced or appended before sending each request.
NameSelect an additional header to be replaced or appended before sending each request, Authorization.
  • You can add as many headers as you need by clicking + Add header at the bottom of the Headers section.
  • To delete a header, click next to the corresponding header field.

📘

Tip:

There are cases when MFA is required ONLY on initial IP login. This means that our scan IP can be validated once and will not require any further MFA validations. For that case, you need to identify which cookie supports the completed MFA/2FA and include a valid cookie as a part of your authentication object.

Testing authentication

👍

Related Links:

Bright allows testing a scan before saving it. For details, see the Testing Authentication.