Release 2.13.0

This is a bug fix and enhancement release.
These release notes do not include all of the changes included in add-ons updated since 2.12.0.

Some of the more significant enhancements include:

HTTP/2 Support

HTTP/2 is now supported, with no configuration changes required.

If you proxy HTTP/2 traffic through ZAP then ZAP will make the same HTTP/2 requests to the target. Any tools that work on proxied requests will also automatically use HTTP/2.

Improved Authentication Handling

ZAP authentication handling has been significantly overhauled, and ZAP can now auto-authenticate to many web apps by just supplying the URL of the login page along with the credentials.

Mac Silicon Support

Mac Silicon is now supported via a new installer and in the Docker images.

GitHub Container Registry

As explained in this blog post the ZAP Docker images are now also available in the GitHub Container Registry.

This may well be a better alternative for many users as, unlike Docker Hub, there is currently no rate limiting on pulls.

Default Threads

All of the “attack” tools which use threading, including both spiders and active scanner, have been changed to use 2x the number of processors as the default number of threads. Using more threads has been shown to significantly reduce the time the scanners take to run.

Network Rate Limiting

The Network add-on now supports a rate limiting feature which allows you to limit the request rate of HTTP/HTTPS (not web sockets) traffic to hosts or domains to prevent overloading the target or being blocked. For more details see the Rate Limit help page.

Note that the Active Scan Delay When Scanning feature has been deprecated and will be removed in a future release.

Network Global Exclusions

The Global Exclusions functionality has been moved to the Network add-on. This will allow us to update it more easily to keep up with browser changes.

Scan Rule Promotions

The following Active scan rules have been promoted to Release status:

The following Active scan rules have been promoted to Beta status (and will therefore now be included in the Packaged scans):

The following Passive scan rules have been promoted to Beta status (and will therefore now be included in the Packaged scans):

Dependency Updates

As usual the release includes dependency updates.

The Selenium add-on has been updated to use the Selenium v4 library. One benefit this brings is that the output from browsers will no longer be shown in the ZAP output - this has been confusing to many people and has not provided any real benefit.

If you have any custom code that directly accesses Selenium classes then you may need to update it.

The following libraries were updated:

  • Commons Codec, 1.15 → 1.16.0
  • Commons CSV, 1.9.0 → 1.10.0
  • Commons IO, 2.11.0 → 2.13.0
  • Flatlaf 2.6 → 3.1.1
  • HSQLDB, 2.7.1 → 2.7.2
  • JFreeChart, 1.5.3 → 1.5.4
  • Log4j 2, 2.19.0 → 2.20.0
  • RSyntaxTextArea, 3.3.0 → 3.3.3
  • XOM, 1.3.8 → 1.3.9


New Add-Ons

The following add-ons are included by default in this release for the first time:

Updated Add-Ons

All of the add-ons included by default have been updated since the last full release.


  • Issue 7326 : Allow icons to be scaled independently of the text
  • Issue 7440 : Manual Request Editor - Add Content-Type when switching to POST
  • Issue 7574 : Add convenience methods for help and options buttons
  • Issue 7581 : I would like to be able to set `ZAP_SILENT` to disable call home requests
  • Issue 7600 : Add details to logged API exception messages
  • Issue 7613 : Lower case HTTP field names
  • Issue 7663 : Default thread to number of processors
  • Issue 7693 : Add Clear button to History tab
  • Issue 7806 : Deprecate CFU HTTP sender initiator
  • Issue 7843 : Deprecate `Proxy`/`ProxyServer` related methods
  • Issue 7847 : Add auto-detect checking strategy
  • Issue 7869 : Allow to limit alerts per rule during active scan
  • Issue 7886 : Include whole `org.zaproxy` package in log config
  • Issue 7887 : Show alert ref in the Alert panel
  • Issue 7888 : Deprecate Global Exclude URLs
  • Issue 7918 : Use Adoptium for Java download in the executable
  • Issue 7933 : Search auth messages
  • Issue 7937 : Deprecate Active Scan option Delay When Scanning
  • Issue 7938 : Allow to read enum values with `AbstractParam`

Bug fixes

  • Issue 3798 : java.awt.Toolkit initialised when running without view
  • Issue 5368 : ZAP exe might fail to find Java
  • Issue 6957 : Use of commas within regex for contexts renders them unloadable
  • Issue 7559 : Alert selection automatically focusing the Request/Response tabs in Full layout
  • Issue 7579 : Do not allow invalid number of active scan threads
  • Issue 7589 : Improve add-on update file handling
  • Issue 7590 : Add-ons being updated might be marked as blocked
  • Issue 7593 : Check first if an add-on can be uninstalled before uninstalling dependents
  • Issue 7598 : Misspelling in `config.xml` `scanner.antiCSFR` should be `scanner.antiCSRF`
  • Issue 7615 : Refresh Show Tab menu item when tabs are removed
  • Issue 7619 : Use correct path for proxy.pac API nonce
  • Issue 7620 : Fix HTML tag in message on Context Authorization screen
  • Issue 7635 : Repaint main toolbar on modified components
  • Issue 7703 : Do not remove add-ons from the install dir
  • Issue 7716 : Ascan Category summaries not updated
  • Issue 7749 : Remove extraneous chars from SQL queries
  • Issue 7750 : Correct - Consistently prompt when deleting history/sites items
  • Issue 7765 : Exceptions during update of add-ons with dependents with optional Extensions
  • Issue 7769 : Remove duplicate Message properties
  • Issue 7804 : Ensure passive scan runs even with high traffic
  • Issue 7814 : Prevent exception when uninstalling add-on’s help
  • Issue 7844 : Retain add-on’s mandatory state
  • Issue 7873 : Sort Sites nodes with different case consistently
  • Issue 7883 : Stop Active Scan’s Analyser
  • Issue 7936 : Update content-length in auth template scripts

See Also

Introduction the introduction to ZAP
Releases the full set of releases
Credits the people and groups who have made this release possible