These were the alerts most frequently flagged as false positives using Alert Filters last month.
Note that this does not necessarily mean they are false positives, it could mean that the people using ZAP are not interested in these specific vulnerabilities.
| Position | Alert | Status | Rule Type |
|---|---|---|---|
| 1 | Cookie without SameSite Attribute | release | Passive |
| 2 | Information Disclosure - Suspicious Comments | release | Passive |
| 3 | Session ID in URL Rewrite | release | Passive |
| 4 | Cross-Domain Misconfiguration | release | Passive |
| 5 | X-Content-Type-Options Header Missing | release | Passive |
| 6 | Retrieved from Cache | release | Passive |
| 7 | SQL Injection | release | Active |
| 8 | Strict-Transport-Security Header | release | Passive |
| 9 | Content Security Policy (CSP) Header Not Set | release | Passive |
| 10 | Re-examine Cache-control Directives | release | Passive |
| 11 | Loosely Scoped Cookie | release | Passive |
| 12 | HTTP Server Response Header | release | Passive |
| 13 | User Agent Fuzzer | release | Active |
| 14 | CSP | release | Passive |
| 15 | Cross-Domain JavaScript Source File Inclusion | release | Passive |
| 16 | Session Management Response Identified | beta | Passive |
| 17 | Timestamp Disclosure - Unix | release | Passive |
| 18 | Cookie No HttpOnly Flag | release | Passive |
| 19 | Modern Web Application | release | Passive |
| 20 | Anti-clickjacking Header | release | Passive |