Vulnerability scan best pratice



Hi everyone,

Are there any good practices to achieved vulnerability scan through Cloudflare with the WAF activated?

Should I scan the public IP by bypassing Cloudflare and whitelist my scanner on the server side? Or should I scan through Cloudflare and create a rule to allow the scan traffic from my scanner IP?

Thank in advance


Scan the origin IP address, because that’s the juiciest target.

Whitelist the scanner? Why would you purposefully open a hole in your security system to look for vulnerabilities?

For curiosity’s sake, I’d try all of the above to get a full picture, but give greater weight to the scans against your current configuration in its natural state.