App Definition
F5® Distributed Cloud Web App Scanning includes two services: Recon and Scan. Recon is our External Attack Surface Management offering, while Scan is our Dynamic Application Security Testing offering. Recon is a free service within Distributed Cloud Web App Scanning and is not priced per usage. Scan is a paid service, priced based on the number of apps scanned on a monthly basis.
In this article, we will define what we consider an app in the Scan service and how that definition determines the total monthly price for using our Scan service.
What Is an App?
Web applications can be deployed in a variety of ways in modern hosting environments. Some apps may have all their resources hosted on a single domain served by a single web server, while others may require resources from different subdomains managed by various service providers. Moreover, some apps may require authentication, while others do not.
The Scan service in Distributed Cloud Web App Scanning is flexible regarding how you choose to host and distribute your app. We believe you are best suited to decide the hosting strategy for your app environment, and we will accommodate your choices. Therefore, the Scan service offers various options to precisely define your app and its required resources.
We have only a few minimum requirements that must be met to use the Scan service successfully. These requirements, as well as the optional settings available, will be discussed in this article.
Minimum Requirements
For the Scan service to test your web app, your app must be deployed on a web server with a frontend accessible using a modern browser. Distributed Cloud Web App Scanning uses Chrome for Testing behind the scenes; thus, your app must render satisfactorily in the latest version of Google Chrome to achieve meaningful test results.
To access and crawl your app, the Scan service must be able to navigate to the front page of your app. This requires that your app is accessible from the public Internet. If your app is protected by a firewall or security group, you can create a firewall rule that allows incoming TCP traffic from the known IP addresses used by Distributed Cloud Web App Scanning. Learn more about configuring the Scan service to use a known IP address for crawling and scanning in our article on known IP addresses.
If your app is not connected to the Internet or you cannot create an inbound firewall rule, we offer a version of Distributed Cloud Web App Scanning that can be hosted locally on-premises. If you are interested in this option, please contact your Technical Account Manager.
For the reasons mentioned above, you must provide the URL of the entry point of your app—e.g., https://app.example.com/login
.
Authentication Settings
If your app requires users to log in to access most of its features, you can configure the Scan service to automatically log in and stay logged in to test functionality protected by the login page.
When setting up an app in the Scan service, you can define one or two test users that the Scan service will use during the test. A test user is defined by the following credentials:
- username,
- password, and
- secret key for two-factor authentication (optional).
For apps that require authentication, we recommend providing the credentials of at least one test user. If you provide the credentials of two test users, we can run even more tests (specifically, tests centered around Broken Access Control).
Optional Settings
We provide a range of optional settings to guide the behavior of the Scan service when testing your app. These settings include:
- providing Basic Authentication credentials (RFC 7235),
- adding custom HTTP request headers,
- enabling/disabling mobile simulation,
- using known IP addresses for testing your app,
- adding hostnames to the allowlist,
- adding hostnames to the denylist, and
- configuring webhooks.
The settings listed above are saved under individual Test Profiles. You can have multiple Test Profiles for each app you set up in the Scan service. Whenever you start a new test of your app, you will be asked which Test Profile you would like to use. The settings saved in the chosen Test Profile will be applied throughout the test.
In the following sections, we will cover the available settings under Test Profiles in detail.
Basic Authentication
If the web server that hosts your app requires all requests to include a Basic Authentication header (following the RFC 7235 standard), you can provide the required username and password. The Scan service will automatically encode your credentials correctly and add an Authorization
header with the Basic
prefix and the encoded credentials as the value to all requests.
Custom HTTP Request Headers
You can add various HTTP headers that must be included in all requests sent to your app by the Scan service. The HTTP headers you provide must have unique keys (e.g., X-Scanner
) and corresponding values (e.g., F5 Distributed Cloud Web App Scanning
).
Enabling/Disabling Mobile Simulation
This option is disabled by default, but if you enable it, the Scan service will change the viewport of the Chrome for Testing instance used to test your application to mimic that of a modern smartphone. Depending on your app’s design, this may unlock functionality that might not be accessible to the scanner otherwise.
Using Known IP Addresses for Testing
Please refer to our article on known IP addresses for more information about this option.
Adding Hostnames to the Allowlist
If your app requires resources hosted on fully qualified domain names (FQDNs) different from the FQDN specified in the URL of your app’s entry point (as described in the Minimum Requirements section), you must include them in the allowlist to let the Scan service include them in the scope of the tests run on your app.
For example, if the frontend of your app is hosted on the FQDN app.example.com
, but requires additional resources hosted on api.example.com
and cdn.example.com
, you must include api.example.com
and cdn.example.com
in the allowlist.
By default, the Scan service will only test resources hosted on the FQDN of the URL of the entry point unless they are included in the allowlist.
Adding Hostnames to the Denylist
If you would like to exclude resources hosted on specific FQDNs from the scope of the tests run on your app, you should include them in the denylist.
For example, if you do not wish to test resources hosted on private.example.com
, you should add private.example.com
to the denylist.
Configuring Webhooks
Distributed Cloud Web App Scanning has native support for webhooks and lets you define API endpoints that should be called once a test on your app completes. You can define as many webhooks as you would like—they will all be called simultaneously as soon as a test on your app completes.
You can define webhooks that support the following HTTP methods:
CONNECT
DELETE
GET
HEAD
OPTIONS
PATCH
POST
PUT
TRACE
Requests sent to API endpoints that support either PATCH
, POST
, or PUT
methods will include a JSON body with some details on the completed test that triggered the webhook. Below is an example of what such a body looks like:
{
"completed": "2024-09-04T13:33:20.936817+00:00",
"started": "2024-09-04T13:21:34.211644+00:00",
"profileId": "59ae9af8-ecac-4c1c-babc-72fabc2c9451",
"state": 3,
"id": "adc65c36-eef7-43ed-833a-f1354b5e0499",
"created": "2024-09-04T13:20:31.480615+00:00"
}
Email Subscribers
Please refer to our article on email subscribers for more information about this option.
Summary
To summarize, an app in the Scan service in Distributed Cloud Web App Scanning is defined by the following:
- the URL of the entry point of your app (e.g.,
https://app.example.com/login
) and - credentials of the test user(s) to be used by the Scan service during tests.
The unique combination of the above is what defines an app in Distributed Cloud Web App Scanning.
Additionally, you can define multiple Test Profiles for each app. Working with multiple Test Profiles and running frequent tests of the same app using different Test Profiles will not cause Distributed Cloud Web App Scanning to count them as unique apps towards your usage quota.
For any additional questions on the definition of apps in Distributed Cloud Web App Scanning, please contact your Technical Account Manager.
On this page:
- What Is an App?
- Minimum Requirements
- Authentication Settings
- Optional Settings
- Basic Authentication
- Custom HTTP Request Headers
- Enabling/Disabling Mobile Simulation
- Using Known IP Addresses for Testing
- Adding Hostnames to the Allowlist
- Adding Hostnames to the Denylist
- Configuring Webhooks
- Email Subscribers
- Summary