These were the alerts most frequently flagged as false positives using Alert Filters last month.
Note that this does not necessarily mean they are false positives, it could mean that the people using ZAP are not interested in these specific vulnerabilities.
| Position | Alert | Status | Rule Type |
|---|---|---|---|
| 1 | Cookie without SameSite Attribute | release | Passive |
| 2 | Session ID in URL Rewrite | release | Passive |
| 3 | Information Disclosure - Suspicious Comments | release | Passive |
| 4 | Cross-Domain Misconfiguration | release | Passive |
| 5 | CSP | release | Passive |
| 6 | Retrieved from Cache | release | Passive |
| 7 | X-Content-Type-Options Header Missing | release | Passive |
| 8 | Source Code Disclosure - PHP | beta | Passive |
| 9 | Loosely Scoped Cookie | release | Passive |
| 10 | Strict-Transport-Security Header | release | Passive |
| 11 | Content Security Policy (CSP) Header Not Set | release | Passive |
| 12 | Re-examine Cache-control Directives | release | Passive |
| 13 | SQL Injection | release | Active |
| 14 | Timestamp Disclosure - Unix | release | Passive |
| 15 | HTTP Server Response Header | release | Passive |
| 16 | Cross-Domain JavaScript Source File Inclusion | release | Passive |
| 17 | User Agent Fuzzer | release | Active |
| 18 | Session Management Response Identified | beta | Passive |
| 19 | Modern Web Application | release | Passive |
| 20 | Cookie No HttpOnly Flag | release | Passive |