Skip to main content
When you scan a URL that redirects to another location, the scanner has to decide which URL to actually test. The “Follow redirects” setting controls this: whether the scanner follows the redirect and tests the destination, or stays on the original URL you entered. This is a target validation step. It runs before scanning starts, not during the scan itself. The platform checks whether the target URL redirects, validates whether the destination is within the configured scope, and updates the scan target accordingly. The default is Same-domain only, which covers the most common redirect patterns: HTTP to HTTPS upgrades and bare domain to www redirects.

Supported tools

The follow redirects option is available for any tool that accepts a URL as a target.
ToolNotes
Website ScannerDisabled automatically when authentication is configured
API ScannerDisabled automatically when authentication is configured
URL FuzzerAlways active
WordPress ScannerDisabled automatically when authentication is configured
SQLi ExploiterDisabled automatically when authentication is configured
XSS ExploiterDisabled automatically when authentication is configured
When you configure authentication for a tool, redirect following is disabled automatically. The scanner tests the original URL to avoid redirect loops with login pages.

Options

The default is Same-domain only (same_domain).
OptionAPI valueDescription
NevernoneScan the original URL. Ignore all redirects.
Same-host onlysame_hostFollow redirects within the same hostname. Allows protocol (HTTP to HTTPS) and path changes, but not subdomain or domain changes.
Same-domain onlysame_domainFollow redirects within the same registrable domain. Allows subdomain changes in addition to protocol and path changes.
Alwaysallow_allFollow redirects to any destination, including a different domain.

How it works

Before a scan starts, the platform checks whether the target URL redirects. Based on the result:
  • Redirect within scope: the scan target is updated to the redirected URL and the scan proceeds normally
  • Redirect out of scope: the scan is rejected with an error
  • No redirect: the scan runs against the original URL

Redirect types

The levels are cumulative. Same-domain only covers everything Same-host only covers, and adds subdomain changes. Always follows any redirect.
Redirect typeMinimum level needed
Protocol change (http://example.com to https://example.com)Same-host only
Path change (example.com to example.com/login)Same-host only
Subdomain change (example.com to www.example.com)Same-domain only
Different domain (example.com to other.com)Always

When to use each option

Never. Use when you want to test the exact URL you entered, regardless of where it redirects. Good for testing redirect behavior itself, or when the redirect destination is outside your engagement scope. Same-host only. Use when the target may redirect between HTTP and HTTPS or to a different path on the same server, but you want to stay strictly on the same hostname. Same-domain only is the right choice for most scans. It handles HTTP to HTTPS upgrades and www-prefixed redirects without risking unintended scope expansion. Always. Use when you have explicit authorization to test the redirect destination and know it may be on a different domain.
Always follows redirects to any domain. Only use this when your scope explicitly covers the redirect destination.

API

Use the redirect_level parameter when starting scans via the API. The default is same_domain. Valid values: none, same_host, same_domain, allow_all. 
curl -X POST https://pentest-tools.com/api/v2/scans \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "tool_id": 170,
    "target_name": "https://example.com",
    "redirect_level": "same_domain"
  }'

Troubleshooting

If a scan fails because the target URL redirects to an out-of-scope destination, the Follow redirects setting is too restrictive for the redirect the target performs.Increase the Follow redirects level to cover the redirect type:
Redirect typeMinimum setting needed
HTTP → HTTPS, or path changeSame-host only
Bare domain → www subdomainSame-domain only
Redirect to a different domainAlways
Only use Always if your engagement scope explicitly covers the redirect destination.