How to fix passive scan only on Wix

Steps for Wix

1. Wix is a fully managed SaaS platform; you cannot run DAST against Wix's infrastructure directly. Active scanning of Wix's shared servers is not permitted.
2. Focus your security testing on Wix Velo (custom JavaScript code), custom backends, and any external APIs or third-party services your Wix site calls.
3. If you have a Velo backend or external API, deploy it to a separate staging/test environment and point OWASP ZAP at that endpoint.
4. For Velo code, conduct code review using OWASP Cheat Sheet guidance for JavaScript/Node.js (input validation, output encoding, secrets management).
5. Keep all Wix Apps updated via your Wix Dashboard → Add Apps → Manage Apps, as third-party Wix apps are a common vulnerability source.
6. For deeper security testing needs, consider migrating business-critical custom logic to a self-hosted API service where DAST is fully permitted.

What is passive scan only?

Automated security scanners that check your live store passively — inspecting HTTP headers, TLS certificates, cookies, and DNS records — can only see what is publicly visible without logging in or submitting forms. They cannot detect deeper vulnerabilities like SQL injection, broken authentication, insecure API endpoints, or business-logic flaws. Dynamic Application Security Testing (DAST) tools, such as OWASP ZAP, actively probe a running copy of your application the way a real attacker would — sending crafted requests, testing login flows, and fuzzing inputs — to surface vulnerabilities a passive scan will never find. Running DAST against a staging environment (never your live store) gives you a much more complete security picture before code reaches customers.

Security misconfigurations and undetected vulnerabilities are the #5 risk on the OWASP Top Ten and are a leading cause of data breaches in ecommerce — exposing customer payment data, personal information, and admin credentials. A breach can result in PCI-DSS non-compliance fines, chargebacks, loss of payment-processor accounts, and severe reputational damage that directly destroys revenue. Relying solely on passive header checks leaves entire attack surfaces — checkout flows, account login, coupon logic, admin APIs — completely untested. Adding even a basic DAST scan to your pre-release checklist dramatically reduces the chance of shipping a critical vulnerability to production.

See the complete Passive scan only guide for every platform and the full background.