OWASP ZAP – Highest False Positives Last Month

These were the alerts most frequently flagged as false positives using Alert Filters last month.

Note that this does not necessarily mean they are false positives, it could mean that the people using ZAP are not interested in these specific vulnerabilities.

Position	Alert	Status	Rule Type
1	Timestamp Disclosure	release	Passive
2	Information Disclosure - Suspicious Comments	release	Passive
3	Content Security Policy (CSP) Header Not Set	beta	Passive
4	Incomplete or No Cache-control Header Set	release	Passive
5	User Agent Fuzzer	beta	Active
6	Cross-Domain JavaScript Source File Inclusion	release	Passive
7	Absence of Anti-CSRF Tokens	release	Passive
8	X-Content-Type-Options Header Missing	release	Passive
9	CSP	release	Passive
10	User Controllable HTML Element Attribute (Potential XSS)	beta	Passive
11	Strict-Transport-Security Header	beta	Passive
12	Modern Web Application	beta	Passive
13	Cookie without SameSite Attribute	release	Passive
14	X-Frame-Options Header Not Set	release	Passive
15	Information Disclosure - Sensitive Information in URL	release	Passive
16	HTTP Server Response Header	beta	Passive
17	PII Disclosure	beta	Passive
18	Private IP Disclosure	release	Passive
19	Application Error Disclosure	release	Passive
20	Content Cacheability	alpha	Passive