Skip to main content

Authentication Overview

Most real applications hide their interesting surface area behind a login. DAST Scanner supports four authentication strategies β€” pick the one that matches how your app expects callers to prove who they are.

Decision tree​

If your app is…UseWhy
Public, no login (marketing site, open API)NoneNothing to authenticate β€” scan the whole surface.
An API that accepts a Bearer/JWT/API key headerTokenThe scanner attaches one header to every request.
A web app with a username + password formFormThe scanner logs in once, captures the session, and replays it.
Complex, multi-step, or you don't want to encode selectorsAI-driven (Beta)An LLM navigates the login flow for you.

Every strategy is selectable in the Create Scan dialog (Step 2) and via the CLI / levo-dast.yml.

None
β†’

Public apps and open APIs.

Token
β†’

Bearer tokens, JWTs, API keys.

Form-based Login
β†’

HTML login forms.

AI-driven
Beta→

LLM-guided login discovery.

Dashboard vs CLI vs YAML​

The same four strategies exist everywhere:

StrategyDashboard (Step 2)CLI flaglevo-dast.yml (auth.strategy)
NoneNone card--auth nonenone
TokenToken card--auth token --token $TOKENtoken
FormForm-based Login card--auth form --username … --password … --login-url …form
AI-drivenAI-driven card--auth aiai

Pre-Auth values β€” shared across strategies​

Three fields on the Authentication step apply regardless of which strategy you pick. Use them when your app needs state in place before the login request is sent:

  • Pre-Auth Cookies β€” CSRF tokens, tenant selectors, feature flags read by the login page.
  • Pre-Auth Headers β€” tenant headers (X-Tenant-Id), API gateway tokens, Accept-Language.
  • Local Storage Items / Local Storage Items (Base64) β€” SPA bootstrap data read on first load, or base64-encoded blobs.
Never put secrets in `levo-dast.yml`

Passwords, bearer tokens, raw cookie values, and API keys always come from a CLI flag or environment variable β€” never the YAML file. See the secrets policy.

Picking a test account​

  • Create a dedicated scan account in each environment β€” don't reuse a developer's account.
  • Give it the same role as a normal user (not admin) unless you want admin-only paths tested.
  • Expect the scan to submit forms, trigger emails, and change state. Keep it off production where possible β€” see Scanning production safely.

Next​

  • None β€” simplest, start here if you don't have a login.
  • Token β€” one header, one scan.
  • Form β€” the most common case.
  • AI-driven β€” when the flow is too complex to script.
Was this page helpful?