Censys scanner causing error logs: "Missing required parameter: response_type"

Problem Statement

We saw many tenant log entries with “Missing required parameter: response_type”. They appear to be coming from IP addresses for Censys scanner. How to stop those errors?

Cause

From Censys website:

[Censys scans](https://support.censys.io/hc/en-us/articles/360059603231-from-opt-out) help the scientific community accurately study the Internet. The data Censys gathers is sometimes used to detect security problems and to inform operators of vulnerable systems so that they can be fixed.

If you wish to opt out, you can configure your firewall to drop traffic from the subnets we use for scanning:

* `162.142.125.0/24`
* `167.94.138.0/24`
* `167.94.145.0/24`
* `167.94.146.0/24`
* `167.248.133.0/24`
* `2602:80d:1000:b0cc:e::/80`
* `2620:96:e000:b0cc:e::/80`

Additionally, our HTTP-based scans use a Censys-specific user agent, which can be used to filter requests from our scanners.

`Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/)`

We do not manually remove results from Censys. However, if you have blocked these subnets, your host(s) will automatically be pruned out the next time we attempt to scan the publicly accessible services. Services are typically pruned out of Censys Search within 24-48 hours.

Solution

We don’t currently have a method for blocking specific CIDR ranges for specific tenants. Alternatively, you may try this workaround:

Setup your own CDN+WAF in front of your custom domain with those custom block rules and use self-managed certificates. This may require a change on your side to migrate your domain from Auth0-managed certificates to self-managed certificates and could involve downtime during the transition.

This doc explains how to set up your custom domain using self-managed certificates.