This repository has been archived by the owner on Jan 17, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 128
/
.zap-baseline.conf
37 lines (36 loc) · 1.81 KB
/
.zap-baseline.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
# zap-baseline rule configuration file
# change FAIL to IGNORE to ignore rule or FAIL to fail if rule matches
# only the rule identifiers are used - the names are just for info
2 IGNORE (Private IP Disclosure)
10010 FAIL (Cookie No HttpOnly Flag)
10011 FAIL (Cookie Without Secure Flag)
10012 IGNORE (Password Autocomplete in browser)
10016 FAIL (Web Browser XSS Protection Not Enabled)
# Warn on 10017 for now, need to decide how to handle SRI's better
10017 WARN (Cross-Domain JavaScript Source File Inclusion)
10019 FAIL (Content-Type Header Missing)
10020 FAIL (X-Frame-Options Header Not Set)
10021 FAIL (X-Content-Type-Options Header Missing)
10023 IGNORE (Information Disclosure - Debug Error Messages)
10026 IGNORE (HTTP Parameter Override)
10027 IGNORE (Information Disclosure - Suspicious Comments)
10031 IGNORE (User Controllable HTML Element Attribute - Potential XSS)
10034 FAIL (Heartbleed OpenSSL Vulnerability (Indicative))
10035 FAIL (Strict-Transport-Security Header Not Set)
10036 IGNORE (Server Leaks Version Information via "Server" HTTP Response Header Field)
10037 IGNORE (Server Leaks Information via "X-Powered-By" HTTP Response Header Field)
10038 FAIL (Content Security Policy (CSP) Header Not Set)
10039 IGNORE (X-Backend-Server Header Information Leak)
10040 FAIL (Secure Pages Include Mixed Content)
10049 IGNORE (Storable and Cacheable Content)
10050 IGNORE (Retrieved from Cache)
10052 FAIL (X-ChromeLogger-Data (XCOLD) Header Information Leak)
10055 WARN (CSP Scanner: style-src unsafe-inline)
10094 IGNORE (Base64 Disclosure)
10096 IGNORE (Timestamp Disclosure)
10097 IGNORE (Hash Disclosure)
10098 FAIL (Cross-Domain Misconfiguration)
10099 IGNORE (Source Code Disclosure - SQL)
10202 FAIL (Absence of Anti-CSRF Tokens)
# Previous ID, still in released version
40014 FAIL (Absence of Anti-CSRF Tokens)