Exclusions
Skip specific endpoints, parameters, or patterns during scans.
Why Exclude?
Common reasons to configure exclusions:
- Avoid testing logout endpoints that break sessions
- Skip third-party widgets or embedded content
- Exclude health check or monitoring endpoints
- Prevent testing payment processor redirects
- Skip write operations in production (delete, update)
URL Exclusions
Exclude by URL path pattern:
{
"exclude": {
"urls": [
"/logout",
"/api/health",
"/api/metrics",
"/admin/delete/*",
"*.pdf",
"/external/*"
]
}
}Supports wildcards: * matches any characters, ? matches single character.
Parameter Exclusions
Skip specific parameters from testing:
{
"exclude": {
"parameters": [
"csrf_token",
"_token",
"captcha",
"recaptcha_response"
]
}
}Method Exclusions
Exclude specific HTTP methods:
{
"exclude": {
"methods": ["DELETE", "PUT"],
"rules": [
{
"url": "/api/users/*",
"methods": ["DELETE"]
}
]
}
}Header-Based Exclusions
Exclude based on response headers:
{
"exclude": {
"response_headers": {
"X-No-Scan": "*",
"Content-Type": "application/pdf"
}
}
}Configuration Methods
Dashboard
Configure in Settings → Scan Configuration → Exclusions
Config File
Add to hackerbot.config.json in your project
API
Include in scan creation request payload
Best Practices
- ⚠️ Don't over-exclude—you might miss real vulnerabilities
- ⚠️ Document why each exclusion exists
- ⚠️ Review exclusions periodically
- ⚠️ Test excluded endpoints separately when possible