These were the alerts most frequently flagged as false positives using Alert Filters last month.
Note that this does not necessarily mean they are false positives, it could mean that the people using ZAP are not interested in these specific vulnerabilities.
Position | Alert | Status | Rule Type |
---|---|---|---|
1 | Information Disclosure - Suspicious Comments | release | Passive |
2 | Cross-Domain Misconfiguration | release | Passive |
3 | X-Content-Type-Options Header Missing | release | Passive |
4 | Session ID in URL Rewrite | release | Passive |
5 | Timestamp Disclosure | release | Passive |
6 | Retrieved from Cache | release | Passive |
7 | Strict-Transport-Security Header | release | Passive |
8 | User Agent Fuzzer | release | Active |
9 | Content Security Policy (CSP) Header Not Set | release | Passive |
10 | Re-examine Cache-control Directives | release | Passive |
11 | Absence of Anti-CSRF Tokens | release | Passive |
12 | Cross-Domain JavaScript Source File Inclusion | release | Passive |
13 | Cookie without SameSite Attribute | release | Passive |
14 | Anti-clickjacking Header | release | Passive |
15 | Loosely Scoped Cookie | release | Passive |
16 | Modern Web Application | release | Passive |
17 | CSP | release | Passive |
18 | HTTP Server Response Header | release | Passive |
19 | Cookie No HttpOnly Flag | release | Passive |
20 | Sub Resource Integrity Attribute Missing | beta | Passive |