These were the alerts most frequently flagged as false positives using Alert Filters last month.
Note that this does not necessarily mean they are false positives, it could mean that the people using ZAP are not interested in these specific vulnerabilities.
Position | Alert | Status | Rule Type |
---|---|---|---|
1 | Information Disclosure - Suspicious Comments | release | Passive |
2 | Cross-Domain Misconfiguration | release | Passive |
3 | X-Content-Type-Options Header Missing | release | Passive |
4 | Session ID in URL Rewrite | release | Passive |
5 | Timestamp Disclosure | release | Passive |
6 | Content Security Policy (CSP) Header Not Set | release | Passive |
7 | Retrieved from Cache | release | Passive |
8 | Strict-Transport-Security Header | release | Passive |
9 | Cross-Domain JavaScript Source File Inclusion | release | Passive |
10 | Re-examine Cache-control Directives | release | Passive |
11 | Absence of Anti-CSRF Tokens | release | Passive |
12 | Anti-clickjacking Header | release | Passive |
13 | User Agent Fuzzer | release | Active |
14 | Cookie without SameSite Attribute | release | Passive |
15 | Modern Web Application | release | Passive |
16 | Loosely Scoped Cookie | release | Passive |
17 | CSP | release | Passive |
18 | Cookie No HttpOnly Flag | release | Passive |
19 | Sub Resource Integrity Attribute Missing | beta | Passive |
20 | Anti-CSRF Tokens Check | beta | Active |