Skip to main content

Understanding Custom Headers in Snyk API & Web

Learn what Custom Headers are used for and how to configure them

Written by Ana Pascoal

When performing a Dynamic Application Security Testing (DAST) scan, your scanner acts like an automated user, navigating your site and testing for vulnerabilities. However, modern security infrastructures (like WAFs) or complex authentication requirements can often block these "automated" requests unless they are properly identified.

This guide explains why you need custom headers and how to set them up in Snyk API & Web.

What are Custom Headers used for?

In a DAST scan, custom headers serve three primary purposes:

  1. Identifying requests: As all requests will include the defined custom headers, this can be used for many things, namely, bypassing WAFs. By adding a unique custom header (e.g., X-SnykApiWeb-Scan: true), you can tell your WAF to allow the scanner’s traffic while still protecting the site from actual malicious bots.

  2. Authentication & Authorization: Some APIs require specific headers for every request to prove identity, such as Authorization: Bearer <token> or custom API keys.

  3. Environment Signaling: You can use headers to trigger specific behaviors in your application during a scan, such as disabling certain "human-only" checks like CAPTCHAs or preventing the app from sending real emails during the test.

How to Configure Custom Headers

In Snyk API & Web, you can configure Custom Headers at the Target level. This ensures that every request sent by the crawler and scanner to that specific application includes your required headers.

Step-by-Step Configuration

  1. Log in to Snyk API & Web.

  2. From the Targets list, locate the target you want to configure and click on the cogwheel icon to navigate to the respective Settings.

  3. Click on the Scanner tab of the Target settings.

  4. Locate the Custom Headers module:

    • Enter the custom header name (e.g., X-Scan-Origin).

    • Enter the corresponding value (e.g., Snyk-DAST-Scanner).

    • Choose whether to test this header during the scan. When unchecked (default), the header is sent as-is with every request but is not tested for vulnerabilities. When checked, the scanner also treats the header value as an attack surface and runs security checks against it.

  5. Click Add to save the custom header.

You can also set up Static Custom Headers for authentication purposes. Learn more about How to set target authentication: OpenAPI.

Did this answer your question?