Frequently Asked Questions
Somethings not working. What should I do?
How do I get a specific feature implemented in ZAP?
What 'calls home' does ZAP make?
What are the command line options?
What does ZAP test for?
What is the default directory that ZAP uses?
What versions of Java are supported?
Where can I ask ZAP related questions?
Where does ZAP put its logs?
Where is ZAP installed?
Why don't you rewrite ZAP in <my favorite language>?
Why is ZAP not available in my language?
How can I add my own payloads to active scan rules?
How can I prevent ZAP from sending me 1000s of emails via a 'Contact Us' form?
How can you speed up scans?
How do I handle a False Positive?
How do I report a False Negative?
Is there any danger when scanning with ZAP against a live website (e.g. create/delete/update/corrupt data)?
Someone is using ZAP to attack my website - what should I do?
What should I do if ZAP doesn't detect a known problem?
How can I add an application icon for ZAP to Fedora / Gnome 3?
How can you start ZAP?
How can ZAP automatically authenticate via forms?
How do you add a script to ZAP from the command line?
How do you configure ZAP logging?
How do you find out what key to use to set a config value on the command line?
How can I connect to ZAP remotely?
How can I use ZAP with a Java application which connects to a web service over SSL?
How do you configure ZAP to test an application on localhost?
How to connect to an HTTPS site that reports a handshake failure?
What options exist for selective proxying?
How can I use the ZAP API in my own regression tests?
How can you use ZAP to scan APIs?
Why is an API key required by default?
Fonts in ZAP look bad on my system - what should I do?
How can I run ZAP with a high DPI display?
How can you easily maximize a tab?
What causes: Exception in thread 'AWT-EventQueue-0' when loading ZAP on Docked Mac OSX?
Why am I getting blank ZAP windows on Linux?
How can ZAP test sites that use certificate pinning?
How do I see what version of an add-on/extension I have installed?
Why are there missing History Ids?
Why has the Quick Scan Attack reported an invalid URL?
Can ZAP be used to test mobile apps?
Can ZAP be used to test my favorite framework or technology?
Can ZAP be used to test my favorite vulnerable app?
Can ZAP be used to test Windows 8 Metro apps?
Setting up ZAP to Test Damn Vulnerable Web App (DVWA)
Setting up ZAP to Test OWASP Pixi
Setting up ZAP to Test Vaadin Apps
What operating systems are supported?
What vulnerability classifications are supported?