.zap-baseline.conf

# zap-baseline rule configuration file
# change FAIL to IGNORE to ignore rule or FAIL to fail if rule matches
# only the rule identifiers are used - the names are just for info
2	IGNORE	(Private IP Disclosure)
10010	FAIL	(Cookie No HttpOnly Flag)
10011	FAIL	(Cookie Without Secure Flag)
10012	IGNORE	(Password Autocomplete in browser)
10016	FAIL	(Web Browser XSS Protection Not Enabled)
# Warn on 10017 for now, need to decide how to handle SRI's better
10017	WARN	(Cross-Domain JavaScript Source File Inclusion)
10019	FAIL	(Content-Type Header Missing)
10020	FAIL	(X-Frame-Options Header Not Set)
10021	FAIL	(X-Content-Type-Options Header Missing)
10023   IGNORE  (Information Disclosure - Debug Error Messages)
10026	IGNORE	(HTTP Parameter Override)
10027	IGNORE	(Information Disclosure - Suspicious Comments)
10031	IGNORE	(User Controllable HTML Element Attribute - Potential XSS)
10034	FAIL	(Heartbleed OpenSSL Vulnerability (Indicative))
10035	FAIL	(Strict-Transport-Security Header Not Set)
10036	IGNORE	(Server Leaks Version Information via "Server" HTTP Response Header Field)
10037	IGNORE	(Server Leaks Information via "X-Powered-By" HTTP Response Header Field)
10038	FAIL	(Content Security Policy (CSP) Header Not Set)
10039	IGNORE	(X-Backend-Server Header Information Leak)
10040	FAIL	(Secure Pages Include Mixed Content)
10049	IGNORE	(Storable and Cacheable Content)
10050	IGNORE	(Retrieved from Cache)
10052	FAIL	(X-ChromeLogger-Data (XCOLD) Header Information Leak)
10055   WARN    (CSP Scanner: style-src unsafe-inline)
10094	IGNORE	(Base64 Disclosure)
10096	IGNORE	(Timestamp Disclosure) 
10097	IGNORE	(Hash Disclosure) 
10098	FAIL	(Cross-Domain Misconfiguration)
10099	IGNORE	(Source Code Disclosure - SQL) 
10202	FAIL	(Absence of Anti-CSRF Tokens)
# Previous ID, still in released version
40014	FAIL	(Absence of Anti-CSRF Tokens)