These were the alerts most frequently flagged as false positives using Alert Filters last month.
Note that this does not necessarily mean they are false positives, it could mean that the people using ZAP are not interested in these specific vulnerabilities.
| Position | Alert | Status | Rule Type |
|---|---|---|---|
| 1 | Cookie without SameSite Attribute | release | Passive |
| 2 | Information Disclosure - Suspicious Comments | release | Passive |
| 3 | Session ID in URL Rewrite | release | Passive |
| 4 | Cross-Domain Misconfiguration | release | Passive |
| 5 | X-Content-Type-Options Header Missing | release | Passive |
| 6 | Content Security Policy (CSP) Header Not Set | release | Passive |
| 7 | SQL Injection | release | Active |
| 8 | Strict-Transport-Security Header | release | Passive |
| 9 | Retrieved from Cache | release | Passive |
| 10 | Re-examine Cache-control Directives | release | Passive |
| 11 | CSP | release | Passive |
| 12 | Cross-Domain JavaScript Source File Inclusion | release | Passive |
| 13 | HTTP Server Response Header | release | Passive |
| 14 | Loosely Scoped Cookie | release | Passive |
| 15 | User Agent Fuzzer | release | Active |
| 16 | Timestamp Disclosure - Unix | release | Passive |
| 17 | Session Management Response Identified | beta | Passive |
| 18 | Modern Web Application | release | Passive |
| 19 | Anti-clickjacking Header | release | Passive |
| 20 | Cookie No HttpOnly Flag | release | Passive |