Set Up HTTP Authentication

When you select the Basic authentication type, tell us the username and password to use for authentication. Then, specify the protected device or web page you want to authenticate against. You can specify a virtual host (an FQDN such as bank.qualys.com) or the name of a realm (such as My Homepage) or IP/IP ranges.

When you select Authentication Vault, specify the Username of a vault account,  select the Vault type as Hashicorp, and select the Vault Title. You must select Active Directory (AD) Secrets Engine while creating the HTTP authentication records.

Note: 

• You cannot enter a virtual host, realm, and IP address in the same record.
• For successful HTTP authentication scan results, you must select Standard Scan by going to Policy Compliance > Option profile and editing the compliance profile. A new window opens. Go to Scan, select Standard Scan under Ports, and save.

 

Select the “Send authentication over SSL only” option if you only want to attempt authentication over SSL. In this case authentication is attempted only when the form is submitted via a link that uses https://...

During a vulnerability scan, if we come across a web page that requires HTTP authentication then we’ll check to see if an HTTP record exists in your account with applicable credentials. If a record exists, we’ll use the credentials in the record to perform HTTP authentication.

You can create vulnerability scan reports that include authentication status QIDs (Information Gathered). These QIDs report details about HTTP protocol level authentication: QID 86762 "Web Authentication Methods" and QID 105315 "Web Authentication Failed".

Where can I get the scan result for the HTTP authenticated recorded created?Where can I get the scan result for the HTTP authenticated recorded created?

Under the Appendix section, you can view the scan result for the HTTP authenticated record created.

Why use host authentication