API-DASTard is security testing software. Only scan systems that you own or are explicitly authorized to test. Active testing can cause data modification, resource consumption, or service disruption in vulnerable targets.
Do not report security vulnerabilities through a public issue. Until a dedicated private reporting address is published, repository owners should enable GitHub private vulnerability reporting and use the repository Security tab.
- Replace every value marked as development-only in
.env.example. - Place the web service behind TLS before using real credentials.
- Restrict worker egress to approved target networks at the infrastructure layer.
- Back up PostgreSQL and test restoration.
- Review Nuclei and nuclei-templates release notes before changing pinned versions.
- Do not enable arbitrary, code, JavaScript, headless, or file templates in a shared deployment.
- Rotate scan credentials if a worker or database is suspected to be compromised.