Stop Flying Blind: Monitor Webhooks and Portals with Passive ZAP Scans episode artwork

EPISODE · Jun 10, 2026 · 13 MIN

Stop Flying Blind: Monitor Webhooks and Portals with Passive ZAP Scans

from Headcount Zero · host Jordan

Solo operators expose dozens of public endpoints—webhooks, client portals, form handlers—but unlike companies with security teams, nobody's checking if they're properly configured. This episode walks through setting up OWASP ZAP's passive baseline scan in Docker, scheduled weekly with cron, to catch missing security headers, CORS misconfigurations, and cookie issues before they cost you a client or a deal. Jordan covers the exact Docker Compose setup, config file tuning with OUTOFSCOPE patterns, exit code automation for Slack alerts, and ticket creation in Linear or Jira. The scan is passive-only and production-safe, designed as a regression safety net that catches configuration drift between deployments. Includes guidance on authenticated scanning with ZAP contexts, the critical endpoint inventory every solo needs, and honest limits about what passive scans can and can't catch.

Solo operators expose dozens of public endpoints—webhooks, client portals, form handlers—but unlike companies with security teams, nobody's checking if they're properly configured. This episode walks through setting up OWASP ZAP's passive baseline scan in Docker, scheduled weekly with cron, to catch missing security headers, CORS misconfigurations, and cookie issues before they cost you a client or a deal. Jordan covers the exact Docker Compose setup, config file tuning with OUTOFSCOPE patterns, exit code automation for Slack alerts, and ticket creation in Linear or Jira. The scan is passive-only and production-safe, designed as a regression safety net that catches configuration drift between deployments. Includes guidance on authenticated scanning with ZAP contexts, the critical endpoint inventory every solo needs, and honest limits about what passive scans can and can't catch.

NOW PLAYING

Stop Flying Blind: Monitor Webhooks and Portals with Passive ZAP Scans

0:00 13:31

No transcript for this episode yet

We transcribe on demand. Request one and we'll notify you when it's ready — usually under 10 minutes.

No similar episodes found.

No similar podcasts found.

Frequently Asked Questions

How long is this episode of Headcount Zero?

This episode is 13 minutes long.

When was this Headcount Zero episode published?

This episode was published on June 10, 2026.

What is this episode about?

Solo operators expose dozens of public endpoints—webhooks, client portals, form handlers—but unlike companies with security teams, nobody's checking if they're properly configured. This episode walks through setting up OWASP ZAP's passive baseline...

Can I download this Headcount Zero episode?

Yes, you can download this episode by clicking the download button on the episode player, or subscribe to the podcast in your preferred podcast app for automatic downloads.
URL copied to clipboard!