forked from Securing-DevOps/invoicer-chapter2
-
Notifications
You must be signed in to change notification settings - Fork 0
/
zap-baseline.conf
18 lines (18 loc) · 917 Bytes
/
zap-baseline.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
# zap-baseline rule configuration file
# change FAIL to IGNORE to ignore rule or FAIL to fail if rule matches
# only the rule identifiers are used - the names are just for info
10010 FAIL (Cookie No HttpOnly Flag)
10011 FAIL (Cookie Without Secure Flag)
10012 IGNORE (Password Autocomplete in browser)
10016 FAIL (Web Browser XSS Protection Not Enabled)
10017 FAIL (Cross-Domain JavaScript Source File Inclusion)
10019 FAIL (Content-Type Header Missing)
10020 FAIL (X-Frame-Options Header Not Set)
10021 FAIL (X-Content-Type-Options Header Missing)
10034 FAIL (Heartbleed OpenSSL Vulnerability (Indicative))
10035 FAIL (Strict-Transport-Security Header Not Set)
10038 FAIL (Content Security Policy (CSP) Header Not Set)
10040 FAIL (Secure Pages Include Mixed Content)
10052 FAIL (X-ChromeLogger-Data (XCOLD) Header Information Leak)
10098 FAIL (Cross-Domain Misconfiguration)
40014 FAIL (Absence of Anti-CSRF Tokens)