These were the alerts most frequently flagged as false positives using Alert Filters last month.
Note that this does not necessarily mean they are false positives, it could mean that the people using ZAP are not interested in these specific vulnerabilities.
| Position | Alert | Status | Rule Type |
|---|---|---|---|
| 1 | Cross-Domain Misconfiguration | release | Passive |
| 2 | Retrieved from Cache | release | Passive |
| 3 | Strict-Transport-Security Header | release | Passive |
| 4 | X-Content-Type-Options Header Missing | release | Passive |
| 5 | SQL Injection | release | Active |
| 6 | Timestamp Disclosure - Unix | release | Passive |
| 7 | HTTP Server Response Header | release | Passive |
| 8 | User Agent Fuzzer | release | Active |
| 9 | Loosely Scoped Cookie | release | Passive |
| 10 | CSP | release | Passive |
| 11 | Cross-Domain JavaScript Source File Inclusion | release | Passive |
| 12 | Cookie without SameSite Attribute | release | Passive |
| 13 | Content Security Policy (CSP) Header Not Set | release | Passive |
| 14 | Cookie No HttpOnly Flag | release | Passive |
| 15 | Session Management Response Identified | beta | Passive |
| 16 | Modern Web Application | release | Passive |
| 17 | Absence of Anti-CSRF Tokens | release | Passive |
| 18 | Information Disclosure - Suspicious Comments | release | Passive |
| 19 | Backup File Disclosure | beta | Active |
| 20 | Anti-clickjacking Header | release | Passive |