OWASP ZAP

Zed Attack Proxy web application security scanner

About this crawler

OWASP ZAP is a web crawler identified by the regular-expression pattern OWASP ZAP in the User-Agent request header. It is categorised as scanner. Use the regex above to detect, log, allow, or block OWASP ZAP traffic in your web server, CDN edge rules, or robots.txt.

Block-rate · top 25k sites

No block-rate data for this crawler.

Technical details

Name: OWASP ZAP
Pattern: OWASP ZAP
Tags: scanner
Reference: https://www.zaproxy.org/
Added: 2026/05/02
rDNS suffixes: .zap.org, .zaproxy.org
Instances: 0 known sample(s)

rDNS verification (FCrDNS)

Verify a request is genuinely OWASP ZAP with forward-confirmed reverse DNS: the client IP's PTR record must end in one of the suffixes below and a forward A/AAAA lookup of that hostname must return the same IP. UA strings alone are spoofable; FCrDNS is not.

.zap.org
.zaproxy.org

Sample User-Agent strings

no public sample user-agents recorded.

Block this crawler

robots.txt — disallow OWASP ZAP:

User-agent: OWASP ZAP Disallow: /

Apache .htaccess — return 403:

RewriteEngine On RewriteCond %{HTTP_USER_AGENT} OWASP ZAP [NC] RewriteRule .* - [F,L]

Nginx — return 403 inside a server block:

if ($http_user_agent ~* "OWASP ZAP") { return 403; }

← back to all crawlers