ZAP – Highest False Positives Last Month

These were the alerts most frequently flagged as false positives using Alert Filters last month.

Note that this does not necessarily mean they are false positives, it could mean that the people using ZAP are not interested in these specific vulnerabilities.

Position	Alert	Status	Rule Type
1	Information Disclosure - Suspicious Comments	release	Passive
2	Cross-Domain Misconfiguration	release	Passive
3	Retrieved from Cache	release	Passive
4	X-Content-Type-Options Header Missing	release	Passive
5	Timestamp Disclosure	release	Passive
6	Strict-Transport-Security Header	release	Passive
7	User Agent Fuzzer	release	Active
8	Session ID in URL Rewrite	release	Passive
9	Absence of Anti-CSRF Tokens	release	Passive
10	Loosely Scoped Cookie	release	Passive
11	Cross-Domain JavaScript Source File Inclusion	release	Passive
12	Content Security Policy (CSP) Header Not Set	release	Passive
13	CSP	release	Passive
14	Modern Web Application	release	Passive
15	Anti-CSRF Tokens Check	beta	Active
16	Backup File Disclosure	beta	Active
17	Re-examine Cache-control Directives	release	Passive
18	Cookie No HttpOnly Flag	release	Passive
19	Sub Resource Integrity Attribute Missing	beta	Passive
20	Cookie without SameSite Attribute	release	Passive