Highest False Positives Last Month

These were the alerts most frequently flagged as false positives using Alert Filters last month.

Note that this does not necessarily mean they are false positives, it could mean that the people using ZAP are not interested in these specific vulnerabilities.

Position Alert Status Rule Type
1 Timestamp Disclosure release Passive
2 Backup File Disclosure beta Active
3 Absence of Anti-CSRF Tokens release Passive
4 X-Content-Type-Options Header Missing release Passive
5 Incomplete or No Cache-control Header Set release Passive
6 Information Disclosure - Suspicious Comments release Passive
7 Cookie without SameSite Attribute release Passive
8 X-Frame-Options Header Not Set release Passive
9 Cross-Domain JavaScript Source File Inclusion release Passive
10 Modern Web Application beta Passive
11 PII Disclosure beta Passive
12 User Agent Fuzzer beta Active
13 CSP release Passive
14 User Controllable HTML Element Attribute (Potential XSS) beta Passive
15 Strict-Transport-Security Header beta Passive
16 Content Security Policy (CSP) Header Not Set beta Passive
17 Application Error Disclosure release Passive
18 Path Traversal release Active
19 Information Disclosure - Sensitive Information in URL release Passive
20 Cookie No HttpOnly Flag release Passive