Qualys WAS
Qualys •
Since 2009
Quick Actions
Official Docs
What is Qualys WAS?
Qualys WAS (Web Application Scanning) is an enterprise-grade web application security scanner that detects vulnerabilities such as SQL injection, cross-site scripting (XSS), and other OWASP Top 10 issues. The scanner performs comprehensive crawling and testing of web applications to identify security weaknesses. As a security tool, it does not respect robots.txt.
User Agent String
Qualys WAS
How to Control Qualys WAS
Block Completely
To prevent Qualys WAS from accessing your entire website, add this to your robots.txt file:
# Block Qualys WAS
User-agent: Qualys
Disallow: /
Block Specific Directories
To restrict access to certain parts of your site while allowing others:
User-agent: Qualys
Disallow: /admin/
Disallow: /private/
Disallow: /wp-admin/
Allow: /public/
Set Crawl Delay
To slow down the crawl rate (note: not all bots respect this directive):
User-agent: Qualys
Crawl-delay: 10
How to Verify Qualys WAS
Verification Method:
Verify scanner is authorized by the website owner
Verify scanner is authorized by the website owner
Learn more in the official documentation.
Detection Patterns
Multiple ways to detect Qualys WAS in your application:
Basic Pattern
/Qualys WAS/iStrict Pattern
/^Qualys WAS$/Flexible Pattern
/Qualys WAS[\s\/]?[\d\.]*?/iVendor Match
/.*Qualys.*Qualys/iImplementation Examples
// PHP Detection for Qualys WAS
function detect_qualys_was() {
$user_agent = $_SERVER['HTTP_USER_AGENT'] ?? '';
$pattern = '/Qualys WAS/i';
if (preg_match($pattern, $user_agent)) {
// Log the detection
error_log('Qualys WAS detected from IP: ' . $_SERVER['REMOTE_ADDR']);
// Set cache headers
header('Cache-Control: public, max-age=3600');
header('X-Robots-Tag: noarchive');
// Optional: Serve cached version
if (file_exists('cache/' . md5($_SERVER['REQUEST_URI']) . '.html')) {
readfile('cache/' . md5($_SERVER['REQUEST_URI']) . '.html');
exit;
}
return true;
}
return false;
}
# Python/Flask Detection for Qualys WAS
import re
from flask import request, make_responsedef detect_qualys_was():
user_agent = request.headers.get('User-Agent', '')
pattern = r'Qualys WAS'
if re.search(pattern, user_agent, re.IGNORECASE):
# Create response with caching
response = make_response()
response.headers['Cache-Control'] = 'public, max-age=3600'
response.headers['X-Robots-Tag'] = 'noarchive'
return True
return False# Django Middleware
class QualysWASMiddleware:
def __init__(self, get_response):
self.get_response = get_response
def __call__(self, request):
if self.detect_bot(request):
# Handle bot traffic
pass
return self.get_response(request)
// JavaScript/Node.js Detection for Qualys WAS
const express = require('express');
const app = express();// Middleware to detect Qualys WAS
function detectQualysWAS(req, res, next) {
const userAgent = req.headers['user-agent'] || '';
const pattern = /Qualys WAS/i;
if (pattern.test(userAgent)) {
// Log bot detection
console.log('Qualys WAS detected from IP:', req.ip);
// Set cache headers
res.set({
'Cache-Control': 'public, max-age=3600',
'X-Robots-Tag': 'noarchive'
});
// Mark request as bot
req.isBot = true;
req.botName = 'Qualys WAS';
}
next();
}app.use(detectQualysWAS);
# Apache .htaccess rules for Qualys WAS# Block completely
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} Qualys WAS [NC]
RewriteRule .* - [F,L]# Or redirect to a static version
RewriteCond %{HTTP_USER_AGENT} Qualys WAS [NC]
RewriteCond %{REQUEST_URI} !^/static/
RewriteRule ^(.*)$ /static/$1 [L]# Or set environment variable for PHP
SetEnvIfNoCase User-Agent "Qualys WAS" is_bot=1# Add cache headers for this bot
<If "%{HTTP_USER_AGENT} =~ /Qualys WAS/i">
Header set Cache-Control "public, max-age=3600"
Header set X-Robots-Tag "noarchive"
</If>
# Nginx configuration for Qualys WAS# Map user agent to variable
map $http_user_agent $is_qualys_was {
default 0;
~*Qualys WAS 1;
}server {
# Block the bot completely
if ($is_qualys_was) {
return 403;
}
# Or serve cached content
location / {
if ($is_qualys_was) {
root /var/www/cached;
try_files $uri $uri.html $uri/index.html @backend;
}
try_files $uri @backend;
}
# Add headers for bot requests
location @backend {
if ($is_qualys_was) {
add_header Cache-Control "public, max-age=3600";
add_header X-Robots-Tag "noarchive";
}
proxy_pass http://backend;
}
}
Should You Block This Bot?
Recommendations based on your website type:
| Site Type | Recommendation | Reasoning |
|---|---|---|
| E-commerce | Optional | Evaluate based on bandwidth usage vs. benefits |
| Blog/News | Allow | Increases content reach and discoverability |
| SaaS Application | Block | No benefit for application interfaces; preserve resources |
| Documentation | Selective | Allow for public docs, block for internal docs |
| Corporate Site | Limit | Allow for public pages, block sensitive areas like intranets |
Advanced robots.txt Configurations
E-commerce Site Configuration
User-agent: Qualys
Crawl-delay: 5
Disallow: /cart/
Disallow: /checkout/
Disallow: /my-account/
Disallow: /api/
Disallow: /*?sort=
Disallow: /*?filter=
Disallow: /*&page=
Allow: /products/
Allow: /categories/
Sitemap: https://example.com/sitemap.xml
Publishing/Blog Configuration
User-agent: Qualys
Crawl-delay: 10
Disallow: /wp-admin/
Disallow: /drafts/
Disallow: /preview/
Disallow: /*?replytocom=
Allow: /
SaaS/Application Configuration
User-agent: Qualys
Disallow: /app/
Disallow: /api/
Disallow: /dashboard/
Disallow: /settings/
Allow: /
Allow: /pricing/
Allow: /features/
Allow: /docs/
Quick Reference
User Agent Match
Qualys WASRobots.txt Name
QualysCategory
securityRespects robots.txt
May not respect
Copied to clipboard!