Setting up authenticated scans (OWASP Zap)

You can setup scans to scan as a logged in user of your website or web app.

Last updated on 15 Jan, 2026

- Available on Premium tier plans -

When running the OWASP Zap web application scanner, you can get configure authentication to scan sections behind your website login page.

There are three options for setting up an authenticated scan

Using a recorded login. This is the most flexible option for configuring authentication. You record the login steps using Selenium, a standard browser recording technology. When a scan is run, the scanner replays the record steps to authenticate. See the Recorded Login Documentation for full details.
Configure basic authentication.
Set custom request headers or cookies. You can set extra headers or cookies as needed, which will be included in all requests from the scanner. See Customize Request Headers.

Customize Request Headers or Cookies (OWASP Zap)

You can set Authorization, Bearer Token, API Key Headers and more for the OWASP Zap scanner, or set custom cookies to get past banners and authentication

Did you find this article helpful?

Can I export vulnerabilities to a CSV or Excel file?