-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathstackhawk-auth-external-token-header.yml
More file actions
39 lines (39 loc) · 2.25 KB
/
stackhawk-auth-external-token-header.yml
File metadata and controls
39 lines (39 loc) · 2.25 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
# Externally authenticate to your application w/ token based authorization.
app:
applicationId: xxXXXXXX-xXXX-xxXX-XXxX-xXXxxXXXXxXX
env: Development
host: ${APP_HOST:http://localhost:9000}
# How should the scanner authenticate to your application when performing a scan.
authentication:
# External authentication allows you to perform authentication in any manner you choose.
# This may be required if your app as a non-standard or multi-step authentication process.
external:
# The authorization type expected from your auth process.
# TOKEN and COOKIE and are currently supported.
type: TOKEN
# The value of the token received from a successful authentication.
# Your authorization token should be passed in via a runtime environment variable
# As it will likely need to be performed at time of scan. eg: docker run -e AUTH_TOKEN=<mytoken>
value: ${AUTH_TOKEN}
# Token based authorization. If your app doesn't use cookies to maintain session/authorization state then
# you'll likely need to pass the token on every request to the authenticated routes of your application.
tokenAuthorization:
# The method by which the token will be passed to your application.
# In this case a header is expected
type: HEADER
# The name of the header that the token will be passed with requests authenticated routes.
value: Authorization
# The token type when using the Authorization header as is being used here.
# Bearer is the most common value but custom names like "JWT" or "token" are sometimes required.
bearerName: Bearer
loggedInIndicator: "\\QMy profile\\E"
loggedOutIndicator: "\\QUsername: \\E"
# The testPath configuration is used to confirm scanning as an authenticated user is configured successfully.
testPath:
# The type is either HEADER or BODY and informs the success or fail regex of what part of the response to match against.
type: HEADER
# A path to validate that authentication was successful. This path should be only accessible to authenticated users.
path: /profile
# Success criteria regex pattern.
# A successful match indicates that the response from the path specified was successful
success: ".*200.*"