application icon

Scrutiny 9 Authentication and Advanced Settings

With great power comes great responsibility

Most of the basic settings are described on the Settings page. Below are some advanced or obscure settings which are found on the 'Authentication | Advanced' tab.



Scrutiny can check some sites which require authentication. Be aware that switching on this setting can damage your site including deleting your pages.

Yes, really, some content management systems have buttons for managing pages, including deleting pages, which look like links to Scrutiny.

If you are going to use either or both of the 'handle cookies' or the 'attempt to authenticate' settings and have such controls on your website, then:

- try to exclude such controls from being checked by using 'Don't check links containing'
- make sure you don't scan the 'admin' interface of your site
- log in using a user account with only 'reader' rights
- make sure your site is backed up and you are prepared to restore if the worst happens
- It's also important to blacklist (with 'do not check') your logout link(s), eg set up a rule that says 'don't check urls containing logout' (or whatever)

Getting authentication to work can take some trial and error - there's a thorough article here (external link)

Render page (run javascript)

If a page requires javascript to populate some or all content, it may display its 'noscript' text in browsers with javascript disabled and that may be what Scrutiny sees. If your site requires javascript to be switched on then Scrutiny can run javascript before scanning the page.

Check Render page (run javascript) to switch on this feature. The scan will be slower and use far more resources, so only use this option if you're absolutely sure that it's absolutely necessary.

Note that script will be executed that usually runs when the page loads, but Scrutiny can't perform user actions like clicking menus, or trawl through javascript searching for links.

Always trust invalid server certificate

If the certificate for a secure url is expired or invalid, a browser user usually has the option to cancel or trust it. Check this option if you want Scrutiny to trust all invalid certificates it encounters, rather than giving an 'invalid certificate' status.

Default file name if crawling locally

If you're scanning your site locally rather than by http, then a link to a directory ( ) has no filename. It's valid when using the web because the server will return the index page or redirect to it, but for local crawling we have to assume the filename. It's usually something like index.html

Ignore session id within querystring

This setting will ignore the session id within the querystring, but leave the rest of the querystring intact. Some sites assign a session id in the querystring ( ?sid=12345 ) and this may change during the scan, leading to the same page being logged many times and the scan never finishing. One solution is to set 'ignore querystrings' but sometimes this isn't possible if other parameters within the querystring are essential. Using this setting, you can ask Scrutiny to remove just the session id (or any other single parameter from the querystring).

Custom Request Header Fields

These field names and values are included in the server request sent to all urls.