Authentication Verification Best Practices
When configuring authentication verification in ZAP automation plans, it is recommended to explicitly define the verification method instead of relying on automatic detection.
Defining a stable verification method improves scan reliability and prevents false authentication failures during automated scans.
Recommended Approach
For most applications, use the poll verification method with a stable authenticated endpoint (pollUrl). This allows ZAP to continuously verify that the session remains authenticated during the scan.
Example:
verification:
method: poll
pollUrl: https://example.com/api/user/profile
The endpoint specified in pollUrl should meet the following conditions:
- Accessible only after successful authentication
- Returns HTTP 200 when the session is authenticated
- Returns HTTP 401, 403, or different content when the session is not authenticated
Using a stable authenticated endpoint ensures consistent verification for both traditional web applications and modern frontend frameworks.
SPA (Single Page Application) Considerations
For Single Page Applications (SPA) such as those built with React, Angular, or Vue, authentication is typically handled through backend APIs rather than page redirects.
In these cases:
- Prefer using the
pollverification method with a backend API endpoint. - If the API response contains a predictable field (such as username, email, or user object), the
responseverification method may optionally be used.
Example:
verification:
method: response
responseBodyRegex: "email"
This method requires that the response body contains a consistent and reliable value that can be matched during verification.
Avoid Using autodetect in Most Cases
The autodetect verification method attempts to automatically determine authentication state by analyzing traffic patterns and response behavior.
In practice, this method can be unreliable, particularly for:
- Single Page Applications (SPA)
- Token-based authentication mechanisms
- API-driven authentication flows
- Applications without clear login redirects
Because of these limitations, autodetection may incorrectly report:
- authentication failures
- verification failures
- invalid credential errors
For this reason, it is recommended to avoid relying on autodetect whenever possible and instead configure an explicit verification method.
Summary
| Scenario | Recommended Verification Method |
|---|---|
| Traditional web applications | poll |
| Single Page Applications (SPA) | poll |
| API-based authentication | poll |
| APIs with predictable response fields | response (optional) |
| General use | Avoid autodetect |
Using explicit verification methods ensures more reliable authentication validation and reduces scan failures caused by incorrect session detection.