Highest False Positives Last Month

These were the alerts most frequently flagged as false positives using Alert Filters last month.

Note that this does not necessarily mean they are false positives, it could mean that the people using ZAP are not interested in these specific vulnerabilities.

Position Alert Status Rule Type
1 Information Disclosure - Suspicious Comments release Passive
2 Cross-Domain Misconfiguration release Passive
3 X-Content-Type-Options Header Missing release Passive
4 CSP release Passive
5 Loosely Scoped Cookie release Passive
6 Session ID in URL Rewrite release Passive
7 Absence of Anti-CSRF Tokens release Passive
8 Retrieved from Cache release Passive
9 Backup File Disclosure beta Active
10 Re-examine Cache-control Directives release Passive
11 Timestamp Disclosure release Passive
12 Cross-Domain JavaScript Source File Inclusion release Passive
13 Anti-clickjacking Header release Passive
14 Permissions Policy Header Not Set beta Passive
15 Cookie without SameSite Attribute release Passive
16 Dangerous JS Functions beta Passive
17 Application Error Disclosure release Passive
18 HTTP Server Response Header release Passive
19 Content Security Policy (CSP) Header Not Set release Passive
20 User Agent Fuzzer release Active