forked from HHS/Head-Start-TTADP
-
Notifications
You must be signed in to change notification settings - Fork 1
/
zap.conf
30 lines (30 loc) · 1.4 KB
/
zap.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
# zap-baseline rule configuration file
# Change WARN to IGNORE to ignore rule or FAIL to fail if rule matches
# Only the rule identifiers are used - the names are just for info
# You can add your own messages to each rule by appending them after a tab on each line.
10010 FAIL (Cookie No HttpOnly Flag)
10011 FAIL (Cookie Without Secure Flag)
10015 WARN (Incomplete or No Cache-control and Pragma HTTP Header Set)
10016 FAIL (Web Browser XSS Protection Not Enabled)
10017 WARN (Cross-Domain JavaScript Source File Inclusion)
10019 WARN (Content-Type Header Missing)
10020 FAIL (X-Frame-Options Header Scanner)
10021 WARN (X-Content-Type-Options Header Missing)
10023 WARN (Information Disclosure - Debug Error Messages)
10024 FAIL (Information Disclosure - Sensitive Informations in URL)
10025 FAIL (Information Disclosure - Sensitive Information in HTTP Referrer Header)
10026 WARN (HTTP Parameter Override)
10027 WARN (Information Disclosure - Suspicious Comments)
10032 WARN (Viewstate Scanner)
10040 FAIL (Secure Pages Include Mixed Content)
10105 FAIL (Weak Authentication Method)
10202 FAIL (Absence of Anti-CSRF Tokens)
10055 WARN (CSP)
2 WARN (Private IP Disclosure)
3 FAIL (Session ID in URL Rewrite)
50001 WARN (Script Passive Scan Rules)
90001 FAIL (Insecure JSF ViewState)
90011 WARN (Charset Mismatch)
90022 WARN (Application Error Disclosure)
90033 FAIL (Loosely Scoped Cookie)
* OUTOFSCOPE .*(robots.txt|sitemap.xml)