These were the alerts most frequently flagged as false positives using Alert Filters last month.
Note that this does not necessarily mean they are false positives, it could mean that the people using ZAP are not interested in these specific vulnerabilities.
| Position | Alert | Status | Rule Type |
|---|---|---|---|
| 1 | Cookie without SameSite Attribute | release | Passive |
| 2 | Session ID in URL Rewrite | release | Passive |
| 3 | Information Disclosure - Suspicious Comments | release | Passive |
| 4 | Cross-Domain Misconfiguration | release | Passive |
| 5 | Retrieved from Cache | release | Passive |
| 6 | X-Content-Type-Options Header Missing | release | Passive |
| 7 | SQL Injection | release | Active |
| 8 | Strict-Transport-Security Header | release | Passive |
| 9 | Loosely Scoped Cookie | release | Passive |
| 10 | Content Security Policy (CSP) Header Not Set | release | Passive |
| 11 | Timestamp Disclosure - Unix | release | Passive |
| 12 | Re-examine Cache-control Directives | release | Passive |
| 13 | HTTP Server Response Header | release | Passive |
| 14 | CSP | release | Passive |
| 15 | Cross-Domain JavaScript Source File Inclusion | release | Passive |
| 16 | User Agent Fuzzer | release | Active |
| 17 | Cookie No HttpOnly Flag | release | Passive |
| 18 | Backup File Detected | alpha | Script Active |
| 19 | Modern Web Application | release | Passive |
| 20 | Absence of Anti-CSRF Tokens | release | Passive |