Configuration

Dalfox reads a config file on startup so you don't have to pass the same flags every time. Anything you set in the config is overridden by an explicit CLI flag, so it's safe to keep "defaults" here.

Where the file lives

Dalfox looks in this order:

1. $XDG_CONFIG_HOME/dalfox/config.toml
2. $HOME/.config/dalfox/config.toml

You can point anywhere else with --config:

dalfox --config ./dalfox.toml scan https://target.app

If no file exists, Dalfox creates a template at the default path the first time you run it.

A minimal config

[scan]
format = "json"
output = "results.json"
timeout = 15
workers = 100
encoders = ["url", "html"]

Run a scan and those flags apply automatically:

dalfox https://target.app?q=test
# → writes JSON results to results.json with workers=100

Precedence

CLI flag  >  Config file  >  Built-in defaults

Anything on the command line wins. This lets you keep sensible defaults in the config, then override per-scan:

# Config sets workers=100, but for this quick scan use 20
dalfox --workers 20 https://target.app

Formats

Dalfox supports both TOML and JSON. TOML is the default — JSON is handy if you generate the file from a tool or UI.

# ~/.config/dalfox/config.toml
[scan]
format = "sarif"
silence = true

{
  "scan": {
    "format": "sarif",
    "silence": true
  }
}

What can I configure?

Anything that has a CLI flag under dalfox scan can live in the [scan] table. Common examples:

See the Config File reference for every key.

Secrets

API keys, bearer tokens, blind-XSS callback hostnames — keep them out of the config file if you commit it. Prefer environment variables:

# .env or your shell profile
export DALFOX_API_KEY="..."

Or pass them at the command line and never persist them.

Next steps

• Run your first scan
• Explore scanning modes
• See the full CLI reference