Supported scopes

Before choosing scope

Supported scope means customer-owned or explicitly authorized public web pages that belong to the project domain and can be opened safely by an automated browser. Use this page before accepting scan scope or adding manual URLs. This boundary matters because WebRiskOps is a self-service public-page workflow. The scanner should not guess that private dashboards, admin paths, login-only pages, unrelated third-party domains or destructive actions are allowed.

Confirm supported public scope

Follow the path `Projects → Project detail → Scan scope selection → Supported public pages → Scope acceptance`.

1. Open /projects and choose the project for the authorized domain. Result: the project detail page shows the project domain, plan state and Scan scope selection area for that site.
2. Compare the project Domain with the public site you want scanned. Result: you know whether the pages belong to the same accepted host instead of another customer, admin or third-party domain.
3. In Scan scope selection, review discovered URL groups before adding anything manually. Result: WebRiskOps shows candidate public pages and the selected page count inside the plan limit.
4. Keep only public pages that a browser can open without credentials, such as home, pricing, product, cart, checkout information, contact or support pages. Result: private account areas and destructive actions stay out of scanner input.
5. Use Add authorized URL only for a missing public page on the same project domain. Result: the manual URL supplements discovery without expanding the scan to a different host.
6. When the selected public set is correct, continue to Accepted scan scope. Result: the acceptance step can record the exact scan boundary before a live audit starts.

Decide what belongs in scope

Supported pages are pages the customer can authorize and the scanner can safely render without credentials or side effects.

• Include same-domain public pages that represent the user journey you need checked: homepage, pricing, product detail, cart, public checkout information, contact, support and public policy pages.
• Include a subdomain only when the project and authorization clearly cover that host.
• Exclude account dashboards, admin panels, private network hosts, staging environments, password-protected pages and pages that submit destructive actions.
• Keep third-party payment, analytics, identity, SaaS admin and vendor dashboards out of scope unless a later dedicated integration flow documents them.
• If the selected set exceeds the plan page limit, reduce selection before acceptance instead of assuming the scanner will choose safely.

Resolve unsupported or blocked state

The product should stop unsupported scope before a live audit starts.

• Unsupported target means remove the URL or read [Unsupported targets](/docs/projects/unsupported-targets) before continuing.
• Private network means stop the workflow; private/internal hosts are outside the standard self-service scan.
• Ownership proof required means finish project authorization before accepting scope.
• Plan limit reached means reduce selected groups or use [Public-page-only limits](/docs/projects/public-page-only-limits) to understand the cap.
• Manual URL rejected means check [Manual URLs and path rules](/docs/projects/manual-urls-and-path-rules) and keep the URL on the accepted host.

Continue to scope acceptance

When every selected page is public, same-domain and authorized, continue to [Accepted scan scope](/docs/projects/accepted-scan-scope). That page explains the approval record that turns supported public pages into the exact live-audit boundary.