Verifying a domain

Before you can scan a domain on the Internet, ASoC must verify that you have permission to scan it. Verification is not needed for domains that are not available on the Internet (private sites).

About this task

You can verify a domain either by adding a small file to its root folder, or confirming your permission by clicking an email link.


  1. In Settings > Domains, click Verify a new domain.
  2. Select your preferred verification method:
    • I'll add a verification file to my site's root folder
      1. Click Download to save the file to your machine.
      2. Add the file to the root directory of your site (make sure to add it in a location above all parts of the site that you will be scanning).
    • Send me an email with a verification link
      1. Click Send email.
      2. Open your the email sent to you and click the link.
  3. Click Done.
    The site is added to the list of domains, with status "Pending" The first time you run a scan, ASoC will verify the file you added, and change the status to "Verified".


If your app includes links to URLs outside the domain of the Starting URL, they must be verified to be included in the scan (unless they are private sites and you are using an AppScan Presence. Consider these examples:


The Starting URL is:

The site has links to, which is a sub-domain of

The sub domain will be automatically included in the verification and scanning.

Parallel or parent domains:

The Starting URL:

The site has links to a parallel domain, or to parent domain, and you want those links included in the scan.

To ensure full coverage:
  • Verify, OR
  • Verify and, and when creating the scan in Create scan > Dynamic (DAST), clear the Include only links in and below this directory check box.