jvehent · September 18, 2017 21:46
diff --git a/moz-baseline-default.conf b/moz-baseline-default.conf
 # zap-baseline rule configuration file
 # change FAIL to IGNORE to ignore rule or FAIL to fail if rule matches
 # only the rule identifiers are used - the names are just for info
 2	IGNORE	(Private IP Disclosure)
 10010	FAIL	(Cookie No HttpOnly Flag)
 10011	FAIL	(Cookie Without Secure Flag)
 10012	IGNORE	(Password Autocomplete in browser)
 10016	IGNORE	(Web Browser XSS Protection Not Enabled)
 # Warn on 10017 for now, need to decide how to handle SRI's better
 # 10017	FAIL	(Cross-Domain JavaScript Source File Inclusion)
 10019	FAIL	(Content-Type Header Missing)
 10020	FAIL	(X-Frame-Options Header Not Set)
 10021	FAIL	(X-Content-Type-Options Header Missing)
 10026	IGNORE	(HTTP Parameter Override)
 10027	IGNORE	(Information Disclosure - Suspicious Comments)
 10031	IGNORE	(User Controllable HTML Element Attribute - Potential XSS)
 10034	FAIL	(Heartbleed OpenSSL Vulnerability (Indicative))
 10035	FAIL	(Strict-Transport-Security Header Not Set)
 10036	IGNORE	(Server Leaks Version Information via "Server" HTTP Response Header Field)
 10037	IGNORE	(Server Leaks Information via "X-Powered-By" HTTP Response Header Field)
 10038	FAIL	(Content Security Policy (CSP) Header Not Set)
 10039	IGNORE	(X-Backend-Server Header Information Leak)
 10040	FAIL	(Secure Pages Include Mixed Content)
 10049	IGNORE	(Storable and Cacheable Content)
 10050	IGNORE	(Retrieved from Cache)
 10052	FAIL	(X-ChromeLogger-Data (XCOLD) Header Information Leak)
 10094	IGNORE	(Base64 Disclosure)
 10096	IGNORE	(Timestamp Disclosure) 
 10097	IGNORE	(Hash Disclosure) 
 10098	FAIL	(Cross-Domain Misconfiguration)
 10099	IGNORE	(Source Code Disclosure - SQL) 
 10202	FAIL	(Absence of Anti-CSRF Tokens)
 50001	INFO	(Script Passive Scan Rules)
 # Previous ID, still in released version
 40014	FAIL	(Absence of Anti-CSRF Tokens)
	# zap-baseline rule configuration file
	# change FAIL to IGNORE to ignore rule or FAIL to fail if rule matches
	# only the rule identifiers are used - the names are just for info
	2 IGNORE (Private IP Disclosure)
	10010 FAIL (Cookie No HttpOnly Flag)
	10011 FAIL (Cookie Without Secure Flag)
	10012 IGNORE (Password Autocomplete in browser)
	10016 IGNORE (Web Browser XSS Protection Not Enabled)
	# Warn on 10017 for now, need to decide how to handle SRI's better
	# 10017 FAIL (Cross-Domain JavaScript Source File Inclusion)
	10019 FAIL (Content-Type Header Missing)
	10020 FAIL (X-Frame-Options Header Not Set)
	10021 FAIL (X-Content-Type-Options Header Missing)
	10026 IGNORE (HTTP Parameter Override)
	10027 IGNORE (Information Disclosure - Suspicious Comments)
	10031 IGNORE (User Controllable HTML Element Attribute - Potential XSS)
	10034 FAIL (Heartbleed OpenSSL Vulnerability (Indicative))
	10035 FAIL (Strict-Transport-Security Header Not Set)
	10036 IGNORE (Server Leaks Version Information via "Server" HTTP Response Header Field)
	10037 IGNORE (Server Leaks Information via "X-Powered-By" HTTP Response Header Field)
	10038 FAIL (Content Security Policy (CSP) Header Not Set)
	10039 IGNORE (X-Backend-Server Header Information Leak)
	10040 FAIL (Secure Pages Include Mixed Content)
	10049 IGNORE (Storable and Cacheable Content)
	10050 IGNORE (Retrieved from Cache)
	10052 FAIL (X-ChromeLogger-Data (XCOLD) Header Information Leak)
	10094 IGNORE (Base64 Disclosure)
	10096 IGNORE (Timestamp Disclosure)
	10097 IGNORE (Hash Disclosure)
	10098 FAIL (Cross-Domain Misconfiguration)
	10099 IGNORE (Source Code Disclosure - SQL)
	10202 FAIL (Absence of Anti-CSRF Tokens)
	50001 INFO (Script Passive Scan Rules)
	# Previous ID, still in released version
	40014 FAIL (Absence of Anti-CSRF Tokens)