How to block the Qualys web scanner
Qualys runs web-application and vulnerability scanners used by security teams to assess sites. When a Qualys crawler fetches content with a declared token, robots.txt can ask it to stop — but a scan you own is configured inside Qualys, so the right control depends on whether the scan is yours or a third party's. This page covers both cases.
What this means
Qualys provides web-application scanning and vulnerability assessment. Security teams point a Qualys scanner at their own properties to find issues. If you control the scan, you scope it — which paths to crawl, authentication, and limits — inside the Qualys console, not in robots.txt.
If instead a Qualys crawl is hitting your site and you did not authorise it, robots.txt can request that the courteous crawl stop. But security scanners are often configured to ignore robots.txt deliberately, so do not rely on it for unwanted scanning.
How to block it
For a courteous Qualys web crawl that honours robots.txt, target its token in its own group:
User-agent: Qualys Disallow: /
Verify in your logs whether token-carrying requests stop. For a scan you own, ignore robots.txt and instead set the crawl scope, exclusion lists and rate limits in the Qualys configuration, which is the supported way to constrain it. For unauthorised scanning that ignores robots.txt, use a firewall or WAF rule.
- robots.txt token to target: Qualys
- Scope scans you own inside the Qualys console, not robots.txt
- Use a firewall/WAF for unauthorised scanning that ignores robots.txt
How it appears in analytics and logs
A request carrying a Qualys scanner token is a web-application or vulnerability scan, not a human visit. It is bot traffic. If the scan is your own, robots.txt is the wrong place to scope it; if it is a third party's, robots.txt asks it to stop.
Diagnostic use case
Ask an unwanted Qualys crawl to skip your site via robots.txt, or scope a security scan you own inside the Qualys console instead.
What WebmasterID can help detect
WebmasterID classifies security scanners server-side, so you can see Qualys crawl activity and tell whether a robots.txt block is being honoured or whether the scan needs scoping at its source.
Common mistakes
- Trying to scope a security scan you own via robots.txt instead of the Qualys console.
- Expecting robots.txt to stop a scanner configured to ignore it.
- Counting scanner hits as human traffic.
Privacy and accuracy notes
Blocking Qualys relies only on the request user-agent token. No human identity or raw IP is exposed as a feature. WebmasterID records the scan as a bot event, separate from human analytics.
Related pages
- How to block the Censys scanner
Censys runs internet-wide scanning that catalogs hosts and services for security research. Because it operates at the host/port level rather than fetching pages as a polite web crawler, robots.txt is largely ineffective. This page explains what Censys does and why firewall-level controls, not robots.txt, are the right response.
- How to block the BinaryEdge scanner
BinaryEdge runs internet-wide scans that catalogue exposed services and web properties for its attack-surface and threat-intelligence datasets. Where it crawls web content with a declared token, robots.txt can ask it to stop; but much internet-wide scanning operates below the HTTP-courtesy layer, so a firewall rule is usually the real control. This page covers both.
- robots.txt vs a firewall/WAF
robots.txt and a firewall/WAF solve different problems: robots.txt politely asks compliant crawlers what to skip, while a firewall or WAF actually blocks requests at the network or edge layer. This page contrasts the two, explains when each is appropriate, and warns against using robots.txt for jobs only enforcement can do.
- Qualys web application scanner
Qualys operates security scanning that assesses web applications and infrastructure for vulnerabilities and misconfigurations. Some Qualys scanning is authorised by the site owner (an internal security assessment); some is part of broader internet measurement. It is a security tool, not a search crawler, and its probes appear in logs as scanning rather than content fetching for ranking.
Sources and verification notes
- Qualys — Web Application Scanning documentationQualys documents scan configuration; confirm the exact crawler token against current docs.
- Robots Exclusion Protocol (RFC 9309)
Last reviewed 2026-06-24. Facts are checked against primary/official sources where available; uncertain specifics are marked “Data not yet verified” rather than guessed.