Configure your server to allow XBOW requests

Configure firewall access and infrastructure settings to enable XBOW testing.

Before you start: Review Protecting targets during XBOW testing to understand the trade-offs between different access methods and rate limiting approaches.

Configure firewall access

Choose the access method that best fits your security requirements and configure your WAF accordingly. See Allowing access through your firewall for guidance on choosing the right method.

A bypass header is a custom header that XBOW includes in all test requests. Configure your WAF to allow requests with this header.

  1. On the “Target configuration” page, expand the “Custom headers” section.
  2. Click “Add header” to display a pair of “Name” and “Value” fields with an associated Remove file icon icon.
  3. In the “Name” field, enter your header name (for example, X-XBOW-Test).
  4. In the “Value” field, enter a secure, unique value (for example, a UUID or random string).
  5. Configure your WAF to allow requests containing this header.

Tip: Using a bypass header makes it easy for your security team to detect and distinguish XBOW’s traffic from other traffic in logs and monitoring tools.

Option 2: Add XBOW IP addresses to your WAF allowlist

  1. Review the XBOW IP address ranges in Access requirements.
  2. Configure your WAF to allow traffic from these IP addresses to your test target.
  3. Verify that the allowlist rules are active before starting your assessment.

Option 3: Temporarily disable your WAF (test environments)

Important: Only use this option for isolated test environments with no exposure to production or untrusted networks.

  1. Disable your WAF for the target under test.
  2. Schedule re-enabling the WAF immediately after testing completes.
  3. Ensure your security team is aware of the temporary change.

Configure CAPTCHA handling

  1. Disable CAPTCHA for the test account you provide to XBOW.
  2. Document this change for your security team and plan to re-enable CAPTCHA after testing completes.

Next steps