-
-
Notifications
You must be signed in to change notification settings - Fork 630
Expand file tree
/
Copy path.zapconfig
More file actions
51 lines (35 loc) · 2.22 KB
/
.zapconfig
File metadata and controls
51 lines (35 loc) · 2.22 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
# Rule description: comment.
# rule_id<TAB>ACTION<TAB>(URL regex pattern)
# Cookie No HttpOnly Flag: csrftoken is intentionally JS-readable; token is also returned
# in the /csrf/ JSON response body, so HttpOnly provides no meaningful security benefit.
10010 IGNORE https://nest.owasp.(dev|org)/csrf/
# Re-examine Cache-Control Directives: static files with intentional cache policies.
10015 IGNORE https://nest.owasp.(dev|org)/(robots\.txt|sitemap\.xml)
# Content-Type Header Missing: harmless on 308 redirects for _next/ and api/ prefixes.
10019 IGNORE https://nest.owasp.(dev|org)/(_next|api)/
# X-Content-Type-Options Header Missing: low risk on static assets.
10021 IGNORE https://nest.owasp.(dev|org)/(_next/static/|robots\.txt)
# Information Disclosure - Suspicious Comments: source map and debug ID comments.
10027 IGNORE https://nest.owasp.(dev|org)/_next/static/chunks/[a-f0-9]{16}.js
# Strict-Transport-Security Multiple Header Entries: duplicate HSTS from proxy/CDN layer.
10035 IGNORE https://nest.owasp.(dev|org).*
# Non-Storable Content: informational only, not a vulnerability.
10049 IGNORE https://nest.owasp.(dev|org).*
# Retrieved from Cache: CDN cache hit, informational.
10050 IGNORE https://nest.owasp.(dev|org).*
# CSP: Failure to Define Directive with No Fallback: advisory, CSP is defined at app level.
10055 IGNORE https://nest.owasp.(dev|org).*
# PII disclosure: false positive credit card number.
10062 IGNORE https://nest.owasp.(dev|org)/sitemap.xml
# Permissions Policy Header Not Set: low risk on static assets.
10063 IGNORE https://nest.owasp.(dev|org)/(_next/static/|robots\.txt)
# Base64 Disclosure: false positives due to Next.js hydration / CSS inlined assets.
10094 IGNORE https://nest.owasp.(dev|org).*
# Session Management Response Identified: informational CSRF cookie detection.
10112 IGNORE https://nest.owasp.(dev|org)/csrf/
# Sub Resource Integrity Attribute Missing: Next.js internal chunks do not support SRI.
90003 IGNORE https://nest.owasp.(dev|org).*
# Cross-Origin-Embedder-Policy Header Missing: browser isolation header, advisory only.
90004 IGNORE https://nest.owasp.(dev|org).*
# Sec-Fetch-Dest Header Missing: browser-controlled, cannot enforce server-side.
90005 IGNORE https://nest.owasp.(dev|org).*