These were the alerts most frequently flagged as false positives using Alert Filters last month.
Note that this does not necessarily mean they are false positives, it could mean that the people using ZAP are not interested in these specific vulnerabilities.
| Position | Alert | Status | Rule Type |
|---|---|---|---|
| 1 | Loosely Scoped Cookie | release | Passive |
| 2 | Information Disclosure - Suspicious Comments | release | Passive |
| 3 | Cross-Domain Misconfiguration | release | Passive |
| 4 | Timestamp Disclosure | release | Passive |
| 5 | X-Content-Type-Options Header Missing | release | Passive |
| 6 | Absence of Anti-CSRF Tokens | release | Passive |
| 7 | Cross-Domain JavaScript Source File Inclusion | release | Passive |
| 8 | Backup File Disclosure | beta | Active |
| 9 | Content Security Policy (CSP) Header Not Set | release | Passive |
| 10 | Cookie without SameSite Attribute | release | Passive |
| 11 | Retrieved from Cache | release | Passive |
| 12 | Re-examine Cache-control Directives | release | Passive |
| 13 | SQL Injection | release | Active |
| 14 | Format String Error | release | Active |
| 15 | Modern Web Application | release | Passive |
| 16 | External Redirect | release | Active |
| 17 | Cookie No HttpOnly Flag | release | Passive |
| 18 | User Controllable HTML Element Attribute (Potential XSS) | release | Passive |
| 19 | Anti-clickjacking Header | release | Passive |
| 20 | Insecure HTTP Method | beta | Active |