[{"data":1,"prerenderedAt":1064},["ShallowReactive",2],{"navigation":3,"\u002Fdocs\u002Fsecurity\u002Fzap-baseline-20260310":143,"\u002Fdocs\u002Fsecurity\u002Fzap-baseline-20260310-surround":1060},[4],{"title":5,"path":6,"stem":7,"children":8,"page":32},"Docs","\u002Fdocs","docs",[9,33,58,79,112,117],{"title":10,"path":11,"stem":12,"children":13,"page":32},"Getting Started","\u002Fdocs\u002Fgetting-started","docs\u002Fgetting-started",[14,18,23,28],{"title":10,"path":15,"stem":16,"order":17},"\u002Fdocs\u002Fgetting-started\u002F_dir","docs\u002Fgetting-started\u002F_dir",1,{"title":19,"path":20,"stem":21,"order":22},"Configuration Reference","\u002Fdocs\u002Fgetting-started\u002Fconfiguration","docs\u002Fgetting-started\u002Fconfiguration",2,{"title":24,"path":25,"stem":26,"order":27},"Deployment Guide","\u002Fdocs\u002Fgetting-started\u002Fdeployment","docs\u002Fgetting-started\u002Fdeployment",3,{"title":29,"path":30,"stem":31,"order":17},"Quick Start","\u002Fdocs\u002Fgetting-started\u002Fquick-start","docs\u002Fgetting-started\u002Fquick-start",false,{"title":34,"path":35,"stem":36,"children":37,"page":32},"Guides","\u002Fdocs\u002Fguides","docs\u002Fguides",[38,41,45,49,54],{"title":34,"path":39,"stem":40,"order":22},"\u002Fdocs\u002Fguides\u002F_dir","docs\u002Fguides\u002F_dir",{"title":42,"path":43,"stem":44,"order":22},"Notifications","\u002Fdocs\u002Fguides\u002Fnotifications","docs\u002Fguides\u002Fnotifications",{"title":46,"path":47,"stem":48,"order":17},"Scoring Algorithm","\u002Fdocs\u002Fguides\u002Fscoring","docs\u002Fguides\u002Fscoring",{"title":50,"path":51,"stem":52,"order":53},"Sunset Mode","\u002Fdocs\u002Fguides\u002Fsunset-mode","docs\u002Fguides\u002Fsunset-mode",4,{"title":55,"path":56,"stem":57,"order":27},"Troubleshooting","\u002Fdocs\u002Fguides\u002Ftroubleshooting","docs\u002Fguides\u002Ftroubleshooting",{"title":59,"path":60,"stem":61,"children":62,"page":32},"Project","\u002Fdocs\u002Fproject","docs\u002Fproject",[63,67,71,75],{"title":59,"path":64,"stem":65,"order":66},"\u002Fdocs\u002Fproject\u002F_dir","docs\u002Fproject\u002F_dir",6,{"title":68,"path":69,"stem":70,"order":27},"Changelog","\u002Fdocs\u002Fproject\u002Fchangelog","docs\u002Fproject\u002Fchangelog",{"title":72,"path":73,"stem":74,"order":17},"Contributing","\u002Fdocs\u002Fproject\u002Fcontributing","docs\u002Fproject\u002Fcontributing",{"title":76,"path":77,"stem":78,"order":22},"Contributors","\u002Fdocs\u002Fproject\u002Fcontributors","docs\u002Fproject\u002Fcontributors",{"title":80,"path":81,"stem":82,"children":83,"page":32},"Reference","\u002Fdocs\u002Freference","docs\u002Freference",[84,87,108],{"title":80,"path":85,"stem":86,"order":27},"\u002Fdocs\u002Freference\u002F_dir","docs\u002Freference\u002F_dir",{"title":88,"path":89,"stem":90,"children":91,"page":32},"Api","\u002Fdocs\u002Freference\u002Fapi","docs\u002Freference\u002Fapi",[92,96,100,104],{"title":93,"path":94,"stem":95,"order":22},"API Reference","\u002Fdocs\u002Freference\u002Fapi\u002F_dir","docs\u002Freference\u002Fapi\u002F_dir",{"title":97,"path":98,"stem":99,"order":22},"API Examples","\u002Fdocs\u002Freference\u002Fapi\u002Fexamples","docs\u002Freference\u002Fapi\u002Fexamples",{"title":101,"path":102,"stem":103,"order":53},"API Versioning & Stability Guarantees","\u002Fdocs\u002Freference\u002Fapi\u002Fversioning","docs\u002Freference\u002Fapi\u002Fversioning",{"title":105,"path":106,"stem":107,"order":27},"Common Workflows","\u002Fdocs\u002Freference\u002Fapi\u002Fworkflows","docs\u002Freference\u002Fapi\u002Fworkflows",{"title":109,"path":110,"stem":111,"order":17},"Architecture","\u002Fdocs\u002Freference\u002Farchitecture","docs\u002Freference\u002Farchitecture",{"title":113,"path":114,"stem":115,"order":116},"Release Workflow","\u002Fdocs\u002Freleasing","docs\u002Freleasing",5,{"title":118,"path":119,"stem":120,"children":121,"order":17},"Security Policy","\u002Fdocs\u002Fsecurity","docs\u002Fsecurity\u002Findex",[122,123,127,131,134,137,140],{"title":118,"path":119,"stem":120,"order":17},{"title":124,"path":125,"stem":126,"order":53},"Security","\u002Fdocs\u002Fsecurity\u002F_dir","docs\u002Fsecurity\u002F_dir",{"title":128,"path":129,"stem":130,"order":22},"OWASP ZAP API Scan — Baseline Report","\u002Fdocs\u002Fsecurity\u002Fzap-baseline-20260310","docs\u002Fsecurity\u002Fzap-baseline-20260310",{"title":128,"path":132,"stem":133,"order":27},"\u002Fdocs\u002Fsecurity\u002Fzap-baseline-20260316","docs\u002Fsecurity\u002Fzap-baseline-20260316",{"title":128,"path":135,"stem":136,"order":53},"\u002Fdocs\u002Fsecurity\u002Fzap-baseline-20260323","docs\u002Fsecurity\u002Fzap-baseline-20260323",{"title":128,"path":138,"stem":139,"order":116},"\u002Fdocs\u002Fsecurity\u002Fzap-baseline-20260324","docs\u002Fsecurity\u002Fzap-baseline-20260324",{"title":128,"path":141,"stem":142},"\u002Fdocs\u002Fsecurity\u002Fzap-baseline-20260406","docs\u002Fsecurity\u002Fzap-baseline-20260406",{"id":144,"title":128,"body":145,"description":1053,"extension":1054,"links":1055,"meta":1056,"navigation":1057,"path":129,"seo":1058,"stem":130,"__hash__":1059},"docs\u002Fdocs\u002Fsecurity\u002Fzap-baseline-20260310.md",{"type":146,"value":147,"toc":1038},"minimark",[148,178,183,241,245,250,358,362,426,430,494,498,572,576,640,644,688,692,746,750,924,928,963,967,1034],[149,150,151,155,156,159,160,163,164,167,168,172,167,175],"p",{},[152,153,154],"strong",{},"Date:"," 2026-03-10\n",[152,157,158],{},"Tool:"," OWASP ZAP (ghcr.io\u002Fzaproxy\u002Fzaproxy:stable)\n",[152,161,162],{},"Scan type:"," API Scan with OpenAPI specification\n",[152,165,166],{},"Target:"," ",[169,170,171],"code",{},"http:\u002F\u002Flocalhost:2187\u002Fapi\u002Fv1\u002F",[152,173,174],{},"OpenAPI spec:",[169,176,177],{},"docs\u002Fapi\u002Fopenapi.yaml",[179,180,182],"h2",{"id":181},"summary","Summary",[184,185,186,199],"table",{},[187,188,189],"thead",{},[190,191,192,196],"tr",{},[193,194,195],"th",{},"Category",[193,197,198],{},"Count",[200,201,202,211,221,231],"tbody",{},[190,203,204,208],{},[205,206,207],"td",{},"Active scan rules tested",[205,209,210],{},"53",[190,212,213,218],{},[205,214,215],{},[152,216,217],{},"PASS",[205,219,220],{},"52",[190,222,223,228],{},[205,224,225],{},[152,226,227],{},"WARN",[205,229,230],{},"1",[190,232,233,238],{},[205,234,235],{},[152,236,237],{},"FAIL",[205,239,240],{},"0",[179,242,244],{"id":243},"active-scan-results","Active Scan Results",[246,247,249],"h3",{"id":248},"injection-attacks","Injection Attacks",[184,251,252,265],{},[187,253,254],{},[190,255,256,259,262],{},[193,257,258],{},"Rule ID",[193,260,261],{},"Test",[193,263,264],{},"Result",[200,266,267,278,288,298,308,318,328,338,348],{},[190,268,269,272,275],{},[205,270,271],{},"40018",[205,273,274],{},"SQL Injection (Generic)",[205,276,277],{},"✅ PASS",[190,279,280,283,286],{},[205,281,282],{},"40019",[205,284,285],{},"SQL Injection — MySQL (Time Based)",[205,287,277],{},[190,289,290,293,296],{},[205,291,292],{},"40020",[205,294,295],{},"SQL Injection — Hypersonic SQL (Time Based)",[205,297,277],{},[190,299,300,303,306],{},[205,301,302],{},"40021",[205,304,305],{},"SQL Injection — Oracle (Time Based)",[205,307,277],{},[190,309,310,313,316],{},[205,311,312],{},"40022",[205,314,315],{},"SQL Injection — PostgreSQL (Time Based)",[205,317,277],{},[190,319,320,323,326],{},[205,321,322],{},"40027",[205,324,325],{},"SQL Injection — MsSQL (Time Based)",[205,327,277],{},[190,329,330,333,336],{},[205,331,332],{},"90021",[205,334,335],{},"XPath Injection",[205,337,277],{},[190,339,340,343,346],{},[205,341,342],{},"90029",[205,344,345],{},"SOAP XML Injection",[205,347,277],{},[190,349,350,353,356],{},[205,351,352],{},"90017",[205,354,355],{},"XSLT Injection",[205,357,277],{},[246,359,361],{"id":360},"cross-site-scripting-xss","Cross-Site Scripting (XSS)",[184,363,364,374],{},[187,365,366],{},[190,367,368,370,372],{},[193,369,258],{},[193,371,261],{},[193,373,264],{},[200,375,376,386,396,406,416],{},[190,377,378,381,384],{},[205,379,380],{},"40012",[205,382,383],{},"Cross Site Scripting (Reflected)",[205,385,277],{},[190,387,388,391,394],{},[205,389,390],{},"40014",[205,392,393],{},"Cross Site Scripting (Persistent)",[205,395,277],{},[190,397,398,401,404],{},[205,399,400],{},"40016",[205,402,403],{},"Cross Site Scripting (Persistent) — Prime",[205,405,277],{},[190,407,408,411,414],{},[205,409,410],{},"40017",[205,412,413],{},"Cross Site Scripting (Persistent) — Spider",[205,415,277],{},[190,417,418,421,424],{},[205,419,420],{},"40026",[205,422,423],{},"Cross Site Scripting (DOM Based)",[205,425,277],{},[246,427,429],{"id":428},"remote-code-execution","Remote Code Execution",[184,431,432,442],{},[187,433,434],{},[190,435,436,438,440],{},[193,437,258],{},[193,439,261],{},[193,441,264],{},[200,443,444,454,464,474,484],{},[190,445,446,449,452],{},[205,447,448],{},"20018",[205,450,451],{},"Remote Code Execution — CVE-2012-1823",[205,453,277],{},[190,455,456,459,462],{},[205,457,458],{},"40048",[205,460,461],{},"Remote Code Execution (React2Shell)",[205,463,277],{},[190,465,466,469,472],{},[205,467,468],{},"90019",[205,470,471],{},"Server Side Code Injection",[205,473,277],{},[190,475,476,479,482],{},[205,477,478],{},"90020",[205,480,481],{},"Remote OS Command Injection",[205,483,277],{},[190,485,486,489,492],{},[205,487,488],{},"90037",[205,490,491],{},"Remote OS Command Injection (Time Based)",[205,493,277],{},[246,495,497],{"id":496},"server-side-attacks","Server-Side Attacks",[184,499,500,510],{},[187,501,502],{},[190,503,504,506,508],{},[193,505,258],{},[193,507,261],{},[193,509,264],{},[200,511,512,522,532,542,552,562],{},[190,513,514,517,520],{},[205,515,516],{},"90023",[205,518,519],{},"XML External Entity Attack",[205,521,277],{},[190,523,524,527,530],{},[205,525,526],{},"40009",[205,528,529],{},"Server Side Include",[205,531,277],{},[190,533,534,537,540],{},[205,535,536],{},"90035",[205,538,539],{},"Server Side Template Injection",[205,541,277],{},[190,543,544,547,550],{},[205,545,546],{},"90036",[205,548,549],{},"Server Side Template Injection (Blind)",[205,551,277],{},[190,553,554,557,560],{},[205,555,556],{},"90026",[205,558,559],{},"SOAP Action Spoofing",[205,561,277],{},[190,563,564,567,570],{},[205,565,566],{},"40044",[205,568,569],{},"Exponential Entity Expansion (Billion Laughs)",[205,571,277],{},[246,573,575],{"id":574},"path-file-attacks","Path & File Attacks",[184,577,578,588],{},[187,579,580],{},[190,581,582,584,586],{},[193,583,258],{},[193,585,261],{},[193,587,264],{},[200,589,590,600,610,620,630],{},[190,591,592,595,598],{},[205,593,594],{},"6",[205,596,597],{},"Path Traversal",[205,599,277],{},[190,601,602,605,608],{},[205,603,604],{},"7",[205,606,607],{},"Remote File Inclusion",[205,609,277],{},[190,611,612,615,618],{},[205,613,614],{},"40032",[205,616,617],{},".htaccess Information Leak",[205,619,277],{},[190,621,622,625,628],{},[205,623,624],{},"40034",[205,626,627],{},".env Information Leak",[205,629,277],{},[190,631,632,635,638],{},[205,633,634],{},"40035",[205,636,637],{},"Hidden File Finder",[205,639,277],{},[246,641,643],{"id":642},"authentication-session","Authentication & Session",[184,645,646,656],{},[187,647,648],{},[190,649,650,652,654],{},[193,651,258],{},[193,653,261],{},[193,655,264],{},[200,657,658,668,678],{},[190,659,660,663,666],{},[205,661,662],{},"3",[205,664,665],{},"Session ID in URL Rewrite",[205,667,277],{},[190,669,670,673,676],{},[205,671,672],{},"20019",[205,674,675],{},"External Redirect",[205,677,277],{},[190,679,680,683,686],{},[205,681,682],{},"90033",[205,684,685],{},"Loosely Scoped Cookie",[205,687,277],{},[246,689,691],{"id":690},"known-cves","Known CVEs",[184,693,694,704],{},[187,695,696],{},[190,697,698,700,702],{},[193,699,258],{},[193,701,261],{},[193,703,264],{},[200,705,706,716,726,736],{},[190,707,708,711,714],{},[205,709,710],{},"40043",[205,712,713],{},"Log4Shell",[205,715,277],{},[190,717,718,721,724],{},[205,719,720],{},"40045",[205,722,723],{},"Spring4Shell",[205,725,277],{},[190,727,728,731,734],{},[205,729,730],{},"90001",[205,732,733],{},"Insecure JSF ViewState",[205,735,277],{},[190,737,738,741,744],{},[205,739,740],{},"90002",[205,742,743],{},"Java Serialization Object",[205,745,277],{},[246,747,749],{"id":748},"infrastructure","Infrastructure",[184,751,752,762],{},[187,753,754],{},[190,755,756,758,760],{},[193,757,258],{},[193,759,261],{},[193,761,264],{},[200,763,764,774,784,794,804,814,824,834,844,854,864,874,884,894,904,914],{},[190,765,766,769,772],{},[205,767,768],{},"30001",[205,770,771],{},"Buffer Overflow",[205,773,277],{},[190,775,776,779,782],{},[205,777,778],{},"30002",[205,780,781],{},"Format String Error",[205,783,277],{},[190,785,786,789,792],{},[205,787,788],{},"40003",[205,790,791],{},"CRLF Injection",[205,793,277],{},[190,795,796,799,802],{},[205,797,798],{},"40008",[205,800,801],{},"Parameter Tampering",[205,803,277],{},[190,805,806,809,812],{},[205,807,808],{},"40028",[205,810,811],{},"ELMAH Information Leak",[205,813,277],{},[190,815,816,819,822],{},[205,817,818],{},"40029",[205,820,821],{},"Trace.axd Information Leak",[205,823,277],{},[190,825,826,829,832],{},[205,827,828],{},"40042",[205,830,831],{},"Spring Actuator Information Leak",[205,833,277],{},[190,835,836,839,842],{},[205,837,838],{},"90004",[205,840,841],{},"Insufficient Site Isolation Against Spectre",[205,843,277],{},[190,845,846,849,852],{},[205,847,848],{},"90011",[205,850,851],{},"Charset Mismatch",[205,853,277],{},[190,855,856,859,862],{},[205,857,858],{},"90022",[205,860,861],{},"Application Error Disclosure",[205,863,277],{},[190,865,866,869,872],{},[205,867,868],{},"90024",[205,870,871],{},"Generic Padding Oracle",[205,873,277],{},[190,875,876,879,882],{},[205,877,878],{},"90030",[205,880,881],{},"WSDL File Detection",[205,883,277],{},[190,885,886,889,892],{},[205,887,888],{},"90034",[205,890,891],{},"Cloud Metadata Potentially Exposed",[205,893,277],{},[190,895,896,899,902],{},[205,897,898],{},"90003",[205,900,901],{},"Sub Resource Integrity Attribute Missing",[205,903,277],{},[190,905,906,909,912],{},[205,907,908],{},"50000",[205,910,911],{},"Script Active Scan Rules",[205,913,277],{},[190,915,916,919,922],{},[205,917,918],{},"50001",[205,920,921],{},"Script Passive Scan Rules",[205,923,277],{},[246,925,927],{"id":926},"warnings","Warnings",[184,929,930,943],{},[187,931,932],{},[190,933,934,936,938,940],{},[193,935,258],{},[193,937,261],{},[193,939,264],{},[193,941,942],{},"Details",[200,944,945],{},[190,946,947,950,953,956],{},[205,948,949],{},"100001",[205,951,952],{},"Unexpected Content-Type",[205,954,955],{},"⚠️ WARN",[205,957,958,959,962],{},"13 instances — SPA fallback returns ",[169,960,961],{},"text\u002Fhtml"," for unknown paths. This is expected behavior: Vue Router handles client-side routing, so the server returns the SPA shell for any unrecognized path. Not a security issue.",[179,964,966],{"id":965},"how-to-reproduce","How to Reproduce",[968,969,974],"pre",{"className":970,"code":971,"language":972,"meta":973,"style":973},"language-bash shiki shiki-themes material-theme-lighter material-theme material-theme-palenight","# Start Capacitarr\nmake build\n\n# Run ZAP API scan\nmake security:zap\n\n# Reports generated:\n#   zap-report.html  — full HTML report\n#   zap-report.md    — markdown summary\n","bash","",[169,975,976,984,994,1000,1005,1012,1016,1022,1028],{"__ignoreMap":973},[977,978,980],"span",{"class":979,"line":17},"line",[977,981,983],{"class":982},"sHwdD","# Start Capacitarr\n",[977,985,986,990],{"class":979,"line":22},[977,987,989],{"class":988},"sBMFI","make",[977,991,993],{"class":992},"sfazB"," build\n",[977,995,996],{"class":979,"line":27},[977,997,999],{"emptyLinePlaceholder":998},true,"\n",[977,1001,1002],{"class":979,"line":53},[977,1003,1004],{"class":982},"# Run ZAP API scan\n",[977,1006,1007,1009],{"class":979,"line":116},[977,1008,989],{"class":988},[977,1010,1011],{"class":992}," security:zap\n",[977,1013,1014],{"class":979,"line":66},[977,1015,999],{"emptyLinePlaceholder":998},[977,1017,1019],{"class":979,"line":1018},7,[977,1020,1021],{"class":982},"# Reports generated:\n",[977,1023,1025],{"class":979,"line":1024},8,[977,1026,1027],{"class":982},"#   zap-report.html  — full HTML report\n",[977,1029,1031],{"class":979,"line":1030},9,[977,1032,1033],{"class":982},"#   zap-report.md    — markdown summary\n",[1035,1036,1037],"style",{},"html pre.shiki code .sHwdD, html code.shiki .sHwdD{--shiki-light:#90A4AE;--shiki-light-font-style:italic;--shiki-default:#546E7A;--shiki-default-font-style:italic;--shiki-dark:#676E95;--shiki-dark-font-style:italic}html pre.shiki code .sBMFI, html code.shiki .sBMFI{--shiki-light:#E2931D;--shiki-default:#FFCB6B;--shiki-dark:#FFCB6B}html pre.shiki code .sfazB, html code.shiki .sfazB{--shiki-light:#91B859;--shiki-default:#C3E88D;--shiki-dark:#C3E88D}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}",{"title":973,"searchDepth":17,"depth":22,"links":1039},[1040,1041,1052],{"id":181,"depth":22,"text":182},{"id":243,"depth":22,"text":244,"children":1042},[1043,1044,1045,1046,1047,1048,1049,1050,1051],{"id":248,"depth":27,"text":249},{"id":360,"depth":27,"text":361},{"id":428,"depth":27,"text":429},{"id":496,"depth":27,"text":497},{"id":574,"depth":27,"text":575},{"id":642,"depth":27,"text":643},{"id":690,"depth":27,"text":691},{"id":748,"depth":27,"text":749},{"id":926,"depth":27,"text":927},{"id":965,"depth":22,"text":966},"Date: 2026-03-10\nTool: OWASP ZAP (ghcr.io\u002Fzaproxy\u002Fzaproxy:stable)\nScan type: API Scan with OpenAPI specification\nTarget: http:\u002F\u002Flocalhost:2187\u002Fapi\u002Fv1\u002FOpenAPI spec: docs\u002Fapi\u002Fopenapi.yaml","md",null,{},{"order":22},{"title":128,"description":1053},"k326NVfulA1PgT1Xay2gZcs7yCNd_0MnYBlmsVsDQAc",[1061,1062],{"title":124,"path":125,"stem":126,"description":1055,"order":53,"children":-1},{"title":128,"path":132,"stem":133,"description":1063,"order":27,"children":-1},"Date: 2026-03-16\nTool: OWASP ZAP (ghcr.io\u002Fzaproxy\u002Fzaproxy:stable)\nScan type: API Scan with OpenAPI specification\nTarget: http:\u002F\u002Flocalhost:2187\u002Fapi\u002Fv1\u002FOpenAPI spec: docs\u002Fapi\u002Fopenapi.yaml",1776649616029]