Highest False Positives Last Month

These were the alerts most frequently flagged as false positives using Alert Filters last month.

Note that this does not necessarily mean they are false positives, it could mean that the people using ZAP are not interested in these specific vulnerabilities.

Position Alert Status Rule Type
1 Loosely Scoped Cookie release Passive
2 Information Disclosure - Suspicious Comments release Passive
3 Cross-Domain Misconfiguration release Passive
4 Timestamp Disclosure release Passive
5 X-Content-Type-Options Header Missing release Passive
6 Absence of Anti-CSRF Tokens release Passive
7 Cross-Domain JavaScript Source File Inclusion release Passive
8 Backup File Disclosure beta Active
9 Content Security Policy (CSP) Header Not Set release Passive
10 Cookie without SameSite Attribute release Passive
11 Retrieved from Cache release Passive
12 Re-examine Cache-control Directives release Passive
13 SQL Injection release Active
14 Format String Error release Active
15 Modern Web Application release Passive
16 External Redirect release Active
17 Cookie No HttpOnly Flag release Passive
18 User Controllable HTML Element Attribute (Potential XSS) release Passive
19 Anti-clickjacking Header release Passive
20 Insecure HTTP Method beta Active