Setup Guides

Configure Your Infrastructure

If our scanner is being blocked by your security settings, follow these provider-specific guides to enable scanning.

Rate Limiting

If your endpoint has rate limiting, adjust your scan speed. Slower speeds are less likely to trigger rate limits.

Fast

Best for endpoints with no rate limiting

5-7 min | ~10 req/s

Normal

Balanced speed and reliability (default)

10-12 min | ~3 req/s

Slow

For rate-limited or strict endpoints

18-22 min | ~1 req/s

Vercel

If you see "Vercel Security Checkpoint" blocking requests

Configuration Steps

  1. 1
    Disable Attack Challenge Mode

    Go to your Vercel project settings → Security → Set Attack Challenge Mode to "Disabled" or configure exceptions for your API routes.

  2. 2
    Adjust Firewall Rules (if using Vercel Firewall)

    Navigate to Settings → Security → Firewall and increase rate limit thresholds for API routes.

  3. 3
    Alternative: Use a staging deployment

    Create a preview or staging deployment with relaxed security settings for testing.

Example Configuration
// Vercel Dashboard Configuration
// Security settings are managed in the Vercel Dashboard:

// 1. Project Settings → Security → Attack Challenge Mode
//    - Toggle OFF for API routes during scanning

// 2. Project Settings → Security → Firewall
//    - Add rule: Allow requests to /api/* paths
//    - Increase rate limit thresholds

// 3. For programmatic control, use Vercel API:
//    https://vercel.com/docs/rest-api/endpoints#projects

Cloudflare

If you see "Checking your browser" or cf-challenge responses

Configuration Steps

  1. 1
    Create a Firewall Exception

    Go to Security → WAF → Tools and create a rule to bypass security for your API paths.

  2. 2
    Disable Bot Fight Mode Temporarily

    Navigate to Security → Bots and toggle off Bot Fight Mode for the duration of the scan.

  3. 3
    Adjust Rate Limiting Rules

    Review and increase rate limiting thresholds for your API endpoints.

Example Configuration
# Cloudflare Firewall Rule Expression
# Skip security for API paths:
(http.request.uri.path contains "/api/")

# Action: Skip all remaining rules

AWS (API Gateway / WAF)

If you see rate limiting or WAF blocks from AWS

Configuration Steps

  1. 1
    Increase API Gateway Throttling

    Open API Gateway → Stages → Throttling settings and increase rate and burst limits.

  2. 2
    Adjust WAF Rules

    If using AWS WAF, set relevant rules to "Count" instead of "Block" during testing.

  3. 3
    Alternative: Create a Testing Stage

    Create a dedicated testing stage without throttling restrictions.

Example Configuration
// AWS WAF Rule - Set to Count mode for testing
{
  "Name": "AllowSecurityScanning",
  "Priority": 0,
  "Action": { "Count": {} },
  "Statement": {
    "RateBasedStatement": {
      "Limit": 10000,
      "AggregateKeyType": "IP"
    }
  }
}

Google Cloud

If you see Cloud Armor blocks, IAP challenges, or permission errors

Configuration Steps

  1. 1
    Allow Scanner IP in Cloud Armor

    Go to Network Security → Cloud Armor policies → Select your policy → Add a rule with action "Allow" for source IP 94.130.229.172 with a higher priority than your block rules.

  2. 2
    Configure Cloud Run / Cloud Functions Access

    If your endpoint requires authentication, either set the Cloud Run service to "Allow unauthenticated invocations" for scanning, or configure an ingress rule allowing the scanner IP.

  3. 3
    Disable or Bypass IAP (if applicable)

    If using Identity-Aware Proxy, create an access level in Access Context Manager that allows the scanner IP, or temporarily disable IAP for the scanning endpoint.

  4. 4
    Alternative: Use a Staging Service

    Deploy a staging version of your Cloud Run or Cloud Function service without Cloud Armor or IAP for security testing.

Example Configuration
# Google Cloud Armor - Allow scanner IP
gcloud compute security-policies rules create 900 \
  --security-policy=YOUR_POLICY_NAME \
  --src-ip-ranges=94.130.229.172/32 \
  --action=allow \
  --description="Allow evalfa.st security scanner"

# Cloud Run - Allow unauthenticated (for staging)
gcloud run services update YOUR_SERVICE \
  --ingress=all \
  --allow-unauthenticated \
  --region=YOUR_REGION

Netlify

General guidance for Netlify deployments

Configuration Steps

  1. 1
    Check Function Invocation Limits

    Ensure you have sufficient headroom in your Netlify Function invocation limits.

  2. 2
    Use Slow Scan Speed

    If experiencing issues, select "Slow" scan speed to reduce request rate.

  3. 3
    Monitor Edge Function Timeouts

    Netlify Edge Functions have a 50s timeout - ensure your AI endpoint responds within this limit.

Example Configuration
// netlify.toml - Increase function timeout
[functions]
  external_node_modules = ["openai"]

[[edge_functions]]
  function = "your-ai-endpoint"
  path = "/api/chat"

General Tips

  • If unsure, start with the Slow scan speed - you can always run another scan faster later.
  • Consider using a staging environment for security testing if your production has strict protections.
  • Our scans are read-only - we never modify your data or system state.
  • The readiness check runs 5 quick requests to detect issues before the full scan.
Back to scan configuration