These were the alerts most frequently flagged as false positives using Alert Filters last month.
Note that this does not necessarily mean they are false positives, it could mean that the people using ZAP are not interested in these specific vulnerabilities.
Position | Alert | Status | Rule Type |
---|---|---|---|
1 | Information Disclosure - Suspicious Comments | release | Passive |
2 | Cross-Domain Misconfiguration | release | Passive |
3 | X-Content-Type-Options Header Missing | release | Passive |
4 | CSP | release | Passive |
5 | Loosely Scoped Cookie | release | Passive |
6 | Session ID in URL Rewrite | release | Passive |
7 | Absence of Anti-CSRF Tokens | release | Passive |
8 | Retrieved from Cache | release | Passive |
9 | Backup File Disclosure | beta | Active |
10 | Re-examine Cache-control Directives | release | Passive |
11 | Timestamp Disclosure | release | Passive |
12 | Cross-Domain JavaScript Source File Inclusion | release | Passive |
13 | Anti-clickjacking Header | release | Passive |
14 | Permissions Policy Header Not Set | beta | Passive |
15 | Cookie without SameSite Attribute | release | Passive |
16 | Dangerous JS Functions | beta | Passive |
17 | Application Error Disclosure | release | Passive |
18 | HTTP Server Response Header | release | Passive |
19 | Content Security Policy (CSP) Header Not Set | release | Passive |
20 | User Agent Fuzzer | release | Active |