Highest False Positives Last Month

These were the alerts most frequently flagged as false positives using Alert Filters last month.

Note that this does not necessarily mean they are false positives, it could mean that the people using ZAP are not interested in these specific vulnerabilities.

Position Alert Status Rule Type
1 Timestamp Disclosure release Passive
2 Information Disclosure - Suspicious Comments release Passive
3 Content Security Policy (CSP) Header Not Set beta Passive
4 Incomplete or No Cache-control Header Set release Passive
5 User Agent Fuzzer beta Active
6 Cross-Domain JavaScript Source File Inclusion release Passive
7 Absence of Anti-CSRF Tokens release Passive
8 X-Content-Type-Options Header Missing release Passive
9 CSP release Passive
10 User Controllable HTML Element Attribute (Potential XSS) beta Passive
11 Strict-Transport-Security Header beta Passive
12 Modern Web Application beta Passive
13 Cookie without SameSite Attribute release Passive
14 X-Frame-Options Header Not Set release Passive
15 Information Disclosure - Sensitive Information in URL release Passive
16 HTTP Server Response Header beta Passive
17 PII Disclosure beta Passive
18 Private IP Disclosure release Passive
19 Application Error Disclosure release Passive
20 Content Cacheability alpha Passive