[{"data":1,"prerenderedAt":1915},["ShallowReactive",2],{"navigation":3,"\u002Fdocs\u002Fsecurity\u002Fzap-baseline-20260316":143,"\u002Fdocs\u002Fsecurity\u002Fzap-baseline-20260316-surround":1910},[4],{"title":5,"path":6,"stem":7,"children":8,"page":32},"Docs","\u002Fdocs","docs",[9,33,58,79,112,117],{"title":10,"path":11,"stem":12,"children":13,"page":32},"Getting Started","\u002Fdocs\u002Fgetting-started","docs\u002Fgetting-started",[14,18,23,28],{"title":10,"path":15,"stem":16,"order":17},"\u002Fdocs\u002Fgetting-started\u002F_dir","docs\u002Fgetting-started\u002F_dir",1,{"title":19,"path":20,"stem":21,"order":22},"Configuration Reference","\u002Fdocs\u002Fgetting-started\u002Fconfiguration","docs\u002Fgetting-started\u002Fconfiguration",2,{"title":24,"path":25,"stem":26,"order":27},"Deployment Guide","\u002Fdocs\u002Fgetting-started\u002Fdeployment","docs\u002Fgetting-started\u002Fdeployment",3,{"title":29,"path":30,"stem":31,"order":17},"Quick Start","\u002Fdocs\u002Fgetting-started\u002Fquick-start","docs\u002Fgetting-started\u002Fquick-start",false,{"title":34,"path":35,"stem":36,"children":37,"page":32},"Guides","\u002Fdocs\u002Fguides","docs\u002Fguides",[38,41,45,49,54],{"title":34,"path":39,"stem":40,"order":22},"\u002Fdocs\u002Fguides\u002F_dir","docs\u002Fguides\u002F_dir",{"title":42,"path":43,"stem":44,"order":22},"Notifications","\u002Fdocs\u002Fguides\u002Fnotifications","docs\u002Fguides\u002Fnotifications",{"title":46,"path":47,"stem":48,"order":17},"Scoring Algorithm","\u002Fdocs\u002Fguides\u002Fscoring","docs\u002Fguides\u002Fscoring",{"title":50,"path":51,"stem":52,"order":53},"Sunset Mode","\u002Fdocs\u002Fguides\u002Fsunset-mode","docs\u002Fguides\u002Fsunset-mode",4,{"title":55,"path":56,"stem":57,"order":27},"Troubleshooting","\u002Fdocs\u002Fguides\u002Ftroubleshooting","docs\u002Fguides\u002Ftroubleshooting",{"title":59,"path":60,"stem":61,"children":62,"page":32},"Project","\u002Fdocs\u002Fproject","docs\u002Fproject",[63,67,71,75],{"title":59,"path":64,"stem":65,"order":66},"\u002Fdocs\u002Fproject\u002F_dir","docs\u002Fproject\u002F_dir",6,{"title":68,"path":69,"stem":70,"order":27},"Changelog","\u002Fdocs\u002Fproject\u002Fchangelog","docs\u002Fproject\u002Fchangelog",{"title":72,"path":73,"stem":74,"order":17},"Contributing","\u002Fdocs\u002Fproject\u002Fcontributing","docs\u002Fproject\u002Fcontributing",{"title":76,"path":77,"stem":78,"order":22},"Contributors","\u002Fdocs\u002Fproject\u002Fcontributors","docs\u002Fproject\u002Fcontributors",{"title":80,"path":81,"stem":82,"children":83,"page":32},"Reference","\u002Fdocs\u002Freference","docs\u002Freference",[84,87,108],{"title":80,"path":85,"stem":86,"order":27},"\u002Fdocs\u002Freference\u002F_dir","docs\u002Freference\u002F_dir",{"title":88,"path":89,"stem":90,"children":91,"page":32},"Api","\u002Fdocs\u002Freference\u002Fapi","docs\u002Freference\u002Fapi",[92,96,100,104],{"title":93,"path":94,"stem":95,"order":22},"API Reference","\u002Fdocs\u002Freference\u002Fapi\u002F_dir","docs\u002Freference\u002Fapi\u002F_dir",{"title":97,"path":98,"stem":99,"order":22},"API Examples","\u002Fdocs\u002Freference\u002Fapi\u002Fexamples","docs\u002Freference\u002Fapi\u002Fexamples",{"title":101,"path":102,"stem":103,"order":53},"API Versioning & Stability Guarantees","\u002Fdocs\u002Freference\u002Fapi\u002Fversioning","docs\u002Freference\u002Fapi\u002Fversioning",{"title":105,"path":106,"stem":107,"order":27},"Common Workflows","\u002Fdocs\u002Freference\u002Fapi\u002Fworkflows","docs\u002Freference\u002Fapi\u002Fworkflows",{"title":109,"path":110,"stem":111,"order":17},"Architecture","\u002Fdocs\u002Freference\u002Farchitecture","docs\u002Freference\u002Farchitecture",{"title":113,"path":114,"stem":115,"order":116},"Release Workflow","\u002Fdocs\u002Freleasing","docs\u002Freleasing",5,{"title":118,"path":119,"stem":120,"children":121,"order":17},"Security Policy","\u002Fdocs\u002Fsecurity","docs\u002Fsecurity\u002Findex",[122,123,127,131,134,137,140],{"title":118,"path":119,"stem":120,"order":17},{"title":124,"path":125,"stem":126,"order":53},"Security","\u002Fdocs\u002Fsecurity\u002F_dir","docs\u002Fsecurity\u002F_dir",{"title":128,"path":129,"stem":130,"order":22},"OWASP ZAP API Scan — Baseline Report","\u002Fdocs\u002Fsecurity\u002Fzap-baseline-20260310","docs\u002Fsecurity\u002Fzap-baseline-20260310",{"title":128,"path":132,"stem":133,"order":27},"\u002Fdocs\u002Fsecurity\u002Fzap-baseline-20260316","docs\u002Fsecurity\u002Fzap-baseline-20260316",{"title":128,"path":135,"stem":136,"order":53},"\u002Fdocs\u002Fsecurity\u002Fzap-baseline-20260323","docs\u002Fsecurity\u002Fzap-baseline-20260323",{"title":128,"path":138,"stem":139,"order":116},"\u002Fdocs\u002Fsecurity\u002Fzap-baseline-20260324","docs\u002Fsecurity\u002Fzap-baseline-20260324",{"title":128,"path":141,"stem":142},"\u002Fdocs\u002Fsecurity\u002Fzap-baseline-20260406","docs\u002Fsecurity\u002Fzap-baseline-20260406",{"id":144,"title":128,"body":145,"description":1903,"extension":1904,"links":1905,"meta":1906,"navigation":1907,"path":132,"seo":1908,"stem":133,"__hash__":1909},"docs\u002Fdocs\u002Fsecurity\u002Fzap-baseline-20260316.md",{"type":146,"value":147,"toc":1879},"minimark",[148,178,183,240,243,247,252,440,444,578,582,676,680,744,748,812,816,1018,1022,1026,1130,1134,1198,1202,1266,1270,1344,1348,1412,1415,1459,1463,1517,1521,1695,1699,1754,1758,1804,1808,1875],[149,150,151,155,156,159,160,163,164,167,168,172,167,175],"p",{},[152,153,154],"strong",{},"Date:"," 2026-03-16\n",[152,157,158],{},"Tool:"," OWASP ZAP (ghcr.io\u002Fzaproxy\u002Fzaproxy:stable)\n",[152,161,162],{},"Scan type:"," API Scan with OpenAPI specification\n",[152,165,166],{},"Target:"," ",[169,170,171],"code",{},"http:\u002F\u002Flocalhost:2187\u002Fapi\u002Fv1\u002F",[152,173,174],{},"OpenAPI spec:",[169,176,177],{},"docs\u002Fapi\u002Fopenapi.yaml",[179,180,182],"h2",{"id":181},"summary","Summary",[184,185,186,199],"table",{},[187,188,189],"thead",{},[190,191,192,196],"tr",{},[193,194,195],"th",{},"Category",[193,197,198],{},"Count",[200,201,202,211,220,230],"tbody",{},[190,203,204,208],{},[205,206,207],"td",{},"Total scan rules tested",[205,209,210],{},"119",[190,212,213,218],{},[205,214,215],{},[152,216,217],{},"PASS",[205,219,210],{},[190,221,222,227],{},[205,223,224],{},[152,225,226],{},"WARN",[205,228,229],{},"1",[190,231,232,237],{},[205,233,234],{},[152,235,236],{},"FAIL",[205,238,239],{},"0",[149,241,242],{},"Of the 119 rules, 53 are active scan rules (attack simulation) and 66 are passive scan rules (observation-based analysis).",[179,244,246],{"id":245},"passive-scan-results","Passive Scan Results",[248,249,251],"h3",{"id":250},"security-headers-configuration","Security Headers & Configuration",[184,253,254,267],{},[187,255,256],{},[190,257,258,261,264],{},[193,259,260],{},"Rule ID",[193,262,263],{},"Test",[193,265,266],{},"Result",[200,268,269,280,290,300,310,320,330,340,350,360,370,380,390,400,410,420,430],{},[190,270,271,274,277],{},[205,272,273],{},"10010",[205,275,276],{},"Cookie No HttpOnly Flag",[205,278,279],{},"✅ PASS",[190,281,282,285,288],{},[205,283,284],{},"10011",[205,286,287],{},"Cookie Without Secure Flag",[205,289,279],{},[190,291,292,295,298],{},[205,293,294],{},"10015",[205,296,297],{},"Re-examine Cache-control Directives",[205,299,279],{},[190,301,302,305,308],{},[205,303,304],{},"10019",[205,306,307],{},"Content-Type Header Missing",[205,309,279],{},[190,311,312,315,318],{},[205,313,314],{},"10020",[205,316,317],{},"Anti-clickjacking Header",[205,319,279],{},[190,321,322,325,328],{},[205,323,324],{},"10021",[205,326,327],{},"X-Content-Type-Options Header Missing",[205,329,279],{},[190,331,332,335,338],{},[205,333,334],{},"10035",[205,336,337],{},"Strict-Transport-Security Header",[205,339,279],{},[190,341,342,345,348],{},[205,343,344],{},"10036",[205,346,347],{},"HTTP Server Response Header",[205,349,279],{},[190,351,352,355,358],{},[205,353,354],{},"10037",[205,356,357],{},"Server Leaks Information via \"X-Powered-By\"",[205,359,279],{},[190,361,362,365,368],{},[205,363,364],{},"10038",[205,366,367],{},"Content Security Policy (CSP) Header Not Set",[205,369,279],{},[190,371,372,375,378],{},[205,373,374],{},"10039",[205,376,377],{},"X-Backend-Server Header Information Leak",[205,379,279],{},[190,381,382,385,388],{},[205,383,384],{},"10054",[205,386,387],{},"Cookie without SameSite Attribute",[205,389,279],{},[190,391,392,395,398],{},[205,393,394],{},"10055",[205,396,397],{},"CSP",[205,399,279],{},[190,401,402,405,408],{},[205,403,404],{},"10056",[205,406,407],{},"X-Debug-Token Information Leak",[205,409,279],{},[190,411,412,415,418],{},[205,413,414],{},"10061",[205,416,417],{},"X-AspNet-Version Response Header",[205,419,279],{},[190,421,422,425,428],{},[205,423,424],{},"10063",[205,426,427],{},"Permissions Policy Header Not Set",[205,429,279],{},[190,431,432,435,438],{},[205,433,434],{},"10098",[205,436,437],{},"Cross-Domain Misconfiguration",[205,439,279],{},[248,441,443],{"id":442},"information-disclosure","Information Disclosure",[184,445,446,456],{},[187,447,448],{},[190,449,450,452,454],{},[193,451,260],{},[193,453,263],{},[193,455,266],{},[200,457,458,468,478,488,498,508,518,528,538,548,558,568],{},[190,459,460,463,466],{},[205,461,462],{},"10009",[205,464,465],{},"In Page Banner Information Leak",[205,467,279],{},[190,469,470,473,476],{},[205,471,472],{},"10023",[205,474,475],{},"Information Disclosure — Debug Error Messages",[205,477,279],{},[190,479,480,483,486],{},[205,481,482],{},"10024",[205,484,485],{},"Information Disclosure — Sensitive Information in URL",[205,487,279],{},[190,489,490,493,496],{},[205,491,492],{},"10025",[205,494,495],{},"Information Disclosure — Sensitive Information in HTTP Referrer Header",[205,497,279],{},[190,499,500,503,506],{},[205,501,502],{},"10027",[205,504,505],{},"Information Disclosure — Suspicious Comments",[205,507,279],{},[190,509,510,513,516],{},[205,511,512],{},"10052",[205,514,515],{},"X-ChromeLogger-Data (XCOLD) Header Information Leak",[205,517,279],{},[190,519,520,523,526],{},[205,521,522],{},"10057",[205,524,525],{},"Username Hash Found",[205,527,279],{},[190,529,530,533,536],{},[205,531,532],{},"10062",[205,534,535],{},"PII Disclosure",[205,537,279],{},[190,539,540,543,546],{},[205,541,542],{},"10096",[205,544,545],{},"Timestamp Disclosure",[205,547,279],{},[190,549,550,553,556],{},[205,551,552],{},"10097",[205,554,555],{},"Hash Disclosure",[205,557,279],{},[190,559,560,563,566],{},[205,561,562],{},"10099",[205,564,565],{},"Source Code Disclosure",[205,567,279],{},[190,569,570,573,576],{},[205,571,572],{},"2",[205,574,575],{},"Private IP Disclosure",[205,577,279],{},[248,579,581],{"id":580},"cross-site-redirect-attacks","Cross-Site & Redirect Attacks",[184,583,584,594],{},[187,585,586],{},[190,587,588,590,592],{},[193,589,260],{},[193,591,263],{},[193,593,266],{},[200,595,596,606,616,626,636,646,656,666],{},[190,597,598,601,604],{},[205,599,600],{},"10017",[205,602,603],{},"Cross-Domain JavaScript Source File Inclusion",[205,605,279],{},[190,607,608,611,614],{},[205,609,610],{},"10028",[205,612,613],{},"Off-site Redirect",[205,615,279],{},[190,617,618,621,624],{},[205,619,620],{},"10029",[205,622,623],{},"Cookie Poisoning",[205,625,279],{},[190,627,628,631,634],{},[205,629,630],{},"10030",[205,632,633],{},"User Controllable Charset",[205,635,279],{},[190,637,638,641,644],{},[205,639,640],{},"10031",[205,642,643],{},"User Controllable HTML Element Attribute (Potential XSS)",[205,645,279],{},[190,647,648,651,654],{},[205,649,650],{},"10043",[205,652,653],{},"User Controllable JavaScript Event (XSS)",[205,655,279],{},[190,657,658,661,664],{},[205,659,660],{},"10044",[205,662,663],{},"Big Redirect Detected (Potential Sensitive Information Leak)",[205,665,279],{},[190,667,668,671,674],{},[205,669,670],{},"10108",[205,672,673],{},"Reverse Tabnabbing",[205,675,279],{},[248,677,679],{"id":678},"transport-security","Transport Security",[184,681,682,692],{},[187,683,684],{},[190,685,686,688,690],{},[193,687,260],{},[193,689,263],{},[193,691,266],{},[200,693,694,704,714,724,734],{},[190,695,696,699,702],{},[205,697,698],{},"10040",[205,700,701],{},"Secure Pages Include Mixed Content",[205,703,279],{},[190,705,706,709,712],{},[205,707,708],{},"10041",[205,710,711],{},"HTTP to HTTPS Insecure Transition in Form Post",[205,713,279],{},[190,715,716,719,722],{},[205,717,718],{},"10042",[205,720,721],{},"HTTPS to HTTP Insecure Transition in Form Post",[205,723,279],{},[190,725,726,729,732],{},[205,727,728],{},"10047",[205,730,731],{},"HTTPS Content Available via HTTP",[205,733,279],{},[190,735,736,739,742],{},[205,737,738],{},"10106",[205,740,741],{},"HTTP Only Site",[205,743,279],{},[248,745,747],{"id":746},"authentication-session","Authentication & Session",[184,749,750,760],{},[187,751,752],{},[190,753,754,756,758],{},[193,755,260],{},[193,757,263],{},[193,759,266],{},[200,761,762,772,782,792,802],{},[190,763,764,767,770],{},[205,765,766],{},"10105",[205,768,769],{},"Weak Authentication Method",[205,771,279],{},[190,773,774,777,780],{},[205,775,776],{},"10111",[205,778,779],{},"Authentication Request Identified",[205,781,279],{},[190,783,784,787,790],{},[205,785,786],{},"10112",[205,788,789],{},"Session Management Response Identified",[205,791,279],{},[190,793,794,797,800],{},[205,795,796],{},"10113",[205,798,799],{},"Verification Request Identified",[205,801,279],{},[190,803,804,807,810],{},[205,805,806],{},"10202",[205,808,809],{},"Absence of Anti-CSRF Tokens",[205,811,279],{},[248,813,815],{"id":814},"known-vulnerabilities-miscellaneous","Known Vulnerabilities & Miscellaneous",[184,817,818,828],{},[187,819,820],{},[190,821,822,824,826],{},[193,823,260],{},[193,825,263],{},[193,827,266],{},[200,829,830,839,849,859,869,878,888,898,908,918,928,938,948,958,968,978,988,998,1008],{},[190,831,832,834,837],{},[205,833,239],{},[205,835,836],{},"Directory Browsing",[205,838,279],{},[190,840,841,844,847],{},[205,842,843],{},"10003",[205,845,846],{},"Vulnerable JS Library (Powered by Retire.js)",[205,848,279],{},[190,850,851,854,857],{},[205,852,853],{},"10026",[205,855,856],{},"HTTP Parameter Override",[205,858,279],{},[190,860,861,864,867],{},[205,862,863],{},"10032",[205,865,866],{},"Viewstate",[205,868,279],{},[190,870,871,874,876],{},[205,872,873],{},"10033",[205,875,836],{},[205,877,279],{},[190,879,880,883,886],{},[205,881,882],{},"10034",[205,884,885],{},"Heartbleed OpenSSL Vulnerability (Indicative)",[205,887,279],{},[190,889,890,893,896],{},[205,891,892],{},"10045",[205,894,895],{},"Source Code Disclosure — \u002FWEB-INF Folder",[205,897,279],{},[190,899,900,903,906],{},[205,901,902],{},"10048",[205,904,905],{},"Remote Code Execution — Shell Shock",[205,907,279],{},[190,909,910,913,916],{},[205,911,912],{},"10049",[205,914,915],{},"Content Cacheability",[205,917,279],{},[190,919,920,923,926],{},[205,921,922],{},"10050",[205,924,925],{},"Retrieved from Cache",[205,927,279],{},[190,929,930,933,936],{},[205,931,932],{},"10058",[205,934,935],{},"GET for POST",[205,937,279],{},[190,939,940,943,946],{},[205,941,942],{},"10104",[205,944,945],{},"User Agent Fuzzer",[205,947,279],{},[190,949,950,953,956],{},[205,951,952],{},"10109",[205,954,955],{},"Modern Web Application",[205,957,279],{},[190,959,960,963,966],{},[205,961,962],{},"10110",[205,964,965],{},"Dangerous JS Functions",[205,967,279],{},[190,969,970,973,976],{},[205,971,972],{},"10115",[205,974,975],{},"Script Served From Malicious Domain (polyfill)",[205,977,279],{},[190,979,980,983,986],{},[205,981,982],{},"10116",[205,984,985],{},"ZAP is Out of Date",[205,987,279],{},[190,989,990,993,996],{},[205,991,992],{},"20015",[205,994,995],{},"Heartbleed OpenSSL Vulnerability",[205,997,279],{},[190,999,1000,1003,1006],{},[205,1001,1002],{},"20017",[205,1004,1005],{},"Source Code Disclosure — CVE-2012-1823",[205,1007,279],{},[190,1009,1010,1013,1016],{},[205,1011,1012],{},"100043",[205,1014,1015],{},"Swagger UI Secret & Vulnerability Detector",[205,1017,279],{},[179,1019,1021],{"id":1020},"active-scan-results","Active Scan Results",[248,1023,1025],{"id":1024},"injection-attacks","Injection Attacks",[184,1027,1028,1038],{},[187,1029,1030],{},[190,1031,1032,1034,1036],{},[193,1033,260],{},[193,1035,263],{},[193,1037,266],{},[200,1039,1040,1050,1060,1070,1080,1090,1100,1110,1120],{},[190,1041,1042,1045,1048],{},[205,1043,1044],{},"40018",[205,1046,1047],{},"SQL Injection (Generic)",[205,1049,279],{},[190,1051,1052,1055,1058],{},[205,1053,1054],{},"40019",[205,1056,1057],{},"SQL Injection — MySQL (Time Based)",[205,1059,279],{},[190,1061,1062,1065,1068],{},[205,1063,1064],{},"40020",[205,1066,1067],{},"SQL Injection — Hypersonic SQL (Time Based)",[205,1069,279],{},[190,1071,1072,1075,1078],{},[205,1073,1074],{},"40021",[205,1076,1077],{},"SQL Injection — Oracle (Time Based)",[205,1079,279],{},[190,1081,1082,1085,1088],{},[205,1083,1084],{},"40022",[205,1086,1087],{},"SQL Injection — PostgreSQL (Time Based)",[205,1089,279],{},[190,1091,1092,1095,1098],{},[205,1093,1094],{},"40027",[205,1096,1097],{},"SQL Injection — MsSQL (Time Based)",[205,1099,279],{},[190,1101,1102,1105,1108],{},[205,1103,1104],{},"90021",[205,1106,1107],{},"XPath Injection",[205,1109,279],{},[190,1111,1112,1115,1118],{},[205,1113,1114],{},"90029",[205,1116,1117],{},"SOAP XML Injection",[205,1119,279],{},[190,1121,1122,1125,1128],{},[205,1123,1124],{},"90017",[205,1126,1127],{},"XSLT Injection",[205,1129,279],{},[248,1131,1133],{"id":1132},"cross-site-scripting-xss","Cross-Site Scripting (XSS)",[184,1135,1136,1146],{},[187,1137,1138],{},[190,1139,1140,1142,1144],{},[193,1141,260],{},[193,1143,263],{},[193,1145,266],{},[200,1147,1148,1158,1168,1178,1188],{},[190,1149,1150,1153,1156],{},[205,1151,1152],{},"40012",[205,1154,1155],{},"Cross Site Scripting (Reflected)",[205,1157,279],{},[190,1159,1160,1163,1166],{},[205,1161,1162],{},"40014",[205,1164,1165],{},"Cross Site Scripting (Persistent)",[205,1167,279],{},[190,1169,1170,1173,1176],{},[205,1171,1172],{},"40016",[205,1174,1175],{},"Cross Site Scripting (Persistent) — Prime",[205,1177,279],{},[190,1179,1180,1183,1186],{},[205,1181,1182],{},"40017",[205,1184,1185],{},"Cross Site Scripting (Persistent) — Spider",[205,1187,279],{},[190,1189,1190,1193,1196],{},[205,1191,1192],{},"40026",[205,1194,1195],{},"Cross Site Scripting (DOM Based)",[205,1197,279],{},[248,1199,1201],{"id":1200},"remote-code-execution","Remote Code Execution",[184,1203,1204,1214],{},[187,1205,1206],{},[190,1207,1208,1210,1212],{},[193,1209,260],{},[193,1211,263],{},[193,1213,266],{},[200,1215,1216,1226,1236,1246,1256],{},[190,1217,1218,1221,1224],{},[205,1219,1220],{},"20018",[205,1222,1223],{},"Remote Code Execution — CVE-2012-1823",[205,1225,279],{},[190,1227,1228,1231,1234],{},[205,1229,1230],{},"40048",[205,1232,1233],{},"Remote Code Execution (React2Shell)",[205,1235,279],{},[190,1237,1238,1241,1244],{},[205,1239,1240],{},"90019",[205,1242,1243],{},"Server Side Code Injection",[205,1245,279],{},[190,1247,1248,1251,1254],{},[205,1249,1250],{},"90020",[205,1252,1253],{},"Remote OS Command Injection",[205,1255,279],{},[190,1257,1258,1261,1264],{},[205,1259,1260],{},"90037",[205,1262,1263],{},"Remote OS Command Injection (Time Based)",[205,1265,279],{},[248,1267,1269],{"id":1268},"server-side-attacks","Server-Side Attacks",[184,1271,1272,1282],{},[187,1273,1274],{},[190,1275,1276,1278,1280],{},[193,1277,260],{},[193,1279,263],{},[193,1281,266],{},[200,1283,1284,1294,1304,1314,1324,1334],{},[190,1285,1286,1289,1292],{},[205,1287,1288],{},"90023",[205,1290,1291],{},"XML External Entity Attack",[205,1293,279],{},[190,1295,1296,1299,1302],{},[205,1297,1298],{},"40009",[205,1300,1301],{},"Server Side Include",[205,1303,279],{},[190,1305,1306,1309,1312],{},[205,1307,1308],{},"90035",[205,1310,1311],{},"Server Side Template Injection",[205,1313,279],{},[190,1315,1316,1319,1322],{},[205,1317,1318],{},"90036",[205,1320,1321],{},"Server Side Template Injection (Blind)",[205,1323,279],{},[190,1325,1326,1329,1332],{},[205,1327,1328],{},"90026",[205,1330,1331],{},"SOAP Action Spoofing",[205,1333,279],{},[190,1335,1336,1339,1342],{},[205,1337,1338],{},"40044",[205,1340,1341],{},"Exponential Entity Expansion (Billion Laughs)",[205,1343,279],{},[248,1345,1347],{"id":1346},"path-file-attacks","Path & File Attacks",[184,1349,1350,1360],{},[187,1351,1352],{},[190,1353,1354,1356,1358],{},[193,1355,260],{},[193,1357,263],{},[193,1359,266],{},[200,1361,1362,1372,1382,1392,1402],{},[190,1363,1364,1367,1370],{},[205,1365,1366],{},"6",[205,1368,1369],{},"Path Traversal",[205,1371,279],{},[190,1373,1374,1377,1380],{},[205,1375,1376],{},"7",[205,1378,1379],{},"Remote File Inclusion",[205,1381,279],{},[190,1383,1384,1387,1390],{},[205,1385,1386],{},"40032",[205,1388,1389],{},".htaccess Information Leak",[205,1391,279],{},[190,1393,1394,1397,1400],{},[205,1395,1396],{},"40034",[205,1398,1399],{},".env Information Leak",[205,1401,279],{},[190,1403,1404,1407,1410],{},[205,1405,1406],{},"40035",[205,1408,1409],{},"Hidden File Finder",[205,1411,279],{},[248,1413,747],{"id":1414},"authentication-session-1",[184,1416,1417,1427],{},[187,1418,1419],{},[190,1420,1421,1423,1425],{},[193,1422,260],{},[193,1424,263],{},[193,1426,266],{},[200,1428,1429,1439,1449],{},[190,1430,1431,1434,1437],{},[205,1432,1433],{},"3",[205,1435,1436],{},"Session ID in URL Rewrite",[205,1438,279],{},[190,1440,1441,1444,1447],{},[205,1442,1443],{},"20019",[205,1445,1446],{},"External Redirect",[205,1448,279],{},[190,1450,1451,1454,1457],{},[205,1452,1453],{},"90033",[205,1455,1456],{},"Loosely Scoped Cookie",[205,1458,279],{},[248,1460,1462],{"id":1461},"known-cves","Known CVEs",[184,1464,1465,1475],{},[187,1466,1467],{},[190,1468,1469,1471,1473],{},[193,1470,260],{},[193,1472,263],{},[193,1474,266],{},[200,1476,1477,1487,1497,1507],{},[190,1478,1479,1482,1485],{},[205,1480,1481],{},"40043",[205,1483,1484],{},"Log4Shell",[205,1486,279],{},[190,1488,1489,1492,1495],{},[205,1490,1491],{},"40045",[205,1493,1494],{},"Spring4Shell",[205,1496,279],{},[190,1498,1499,1502,1505],{},[205,1500,1501],{},"90001",[205,1503,1504],{},"Insecure JSF ViewState",[205,1506,279],{},[190,1508,1509,1512,1515],{},[205,1510,1511],{},"90002",[205,1513,1514],{},"Java Serialization Object",[205,1516,279],{},[248,1518,1520],{"id":1519},"infrastructure","Infrastructure",[184,1522,1523,1533],{},[187,1524,1525],{},[190,1526,1527,1529,1531],{},[193,1528,260],{},[193,1530,263],{},[193,1532,266],{},[200,1534,1535,1545,1555,1565,1575,1585,1595,1605,1615,1625,1635,1645,1655,1665,1675,1685],{},[190,1536,1537,1540,1543],{},[205,1538,1539],{},"30001",[205,1541,1542],{},"Buffer Overflow",[205,1544,279],{},[190,1546,1547,1550,1553],{},[205,1548,1549],{},"30002",[205,1551,1552],{},"Format String Error",[205,1554,279],{},[190,1556,1557,1560,1563],{},[205,1558,1559],{},"40003",[205,1561,1562],{},"CRLF Injection",[205,1564,279],{},[190,1566,1567,1570,1573],{},[205,1568,1569],{},"40008",[205,1571,1572],{},"Parameter Tampering",[205,1574,279],{},[190,1576,1577,1580,1583],{},[205,1578,1579],{},"40028",[205,1581,1582],{},"ELMAH Information Leak",[205,1584,279],{},[190,1586,1587,1590,1593],{},[205,1588,1589],{},"40029",[205,1591,1592],{},"Trace.axd Information Leak",[205,1594,279],{},[190,1596,1597,1600,1603],{},[205,1598,1599],{},"40042",[205,1601,1602],{},"Spring Actuator Information Leak",[205,1604,279],{},[190,1606,1607,1610,1613],{},[205,1608,1609],{},"90004",[205,1611,1612],{},"Insufficient Site Isolation Against Spectre",[205,1614,279],{},[190,1616,1617,1620,1623],{},[205,1618,1619],{},"90011",[205,1621,1622],{},"Charset Mismatch",[205,1624,279],{},[190,1626,1627,1630,1633],{},[205,1628,1629],{},"90022",[205,1631,1632],{},"Application Error Disclosure",[205,1634,279],{},[190,1636,1637,1640,1643],{},[205,1638,1639],{},"90024",[205,1641,1642],{},"Generic Padding Oracle",[205,1644,279],{},[190,1646,1647,1650,1653],{},[205,1648,1649],{},"90030",[205,1651,1652],{},"WSDL File Detection",[205,1654,279],{},[190,1656,1657,1660,1663],{},[205,1658,1659],{},"90034",[205,1661,1662],{},"Cloud Metadata Potentially Exposed",[205,1664,279],{},[190,1666,1667,1670,1673],{},[205,1668,1669],{},"90003",[205,1671,1672],{},"Sub Resource Integrity Attribute Missing",[205,1674,279],{},[190,1676,1677,1680,1683],{},[205,1678,1679],{},"50000",[205,1681,1682],{},"Script Active Scan Rules",[205,1684,279],{},[190,1686,1687,1690,1693],{},[205,1688,1689],{},"50001",[205,1691,1692],{},"Script Passive Scan Rules",[205,1694,279],{},[179,1696,1698],{"id":1697},"warnings","Warnings",[184,1700,1701,1714],{},[187,1702,1703],{},[190,1704,1705,1707,1709,1711],{},[193,1706,260],{},[193,1708,263],{},[193,1710,266],{},[193,1712,1713],{},"Details",[200,1715,1716],{},[190,1717,1718,1721,1724,1727],{},[205,1719,1720],{},"100001",[205,1722,1723],{},"Unexpected Content-Type",[205,1725,1726],{},"⚠️ WARN",[205,1728,1729,1730,1733,1734,1737,1738,1737,1741,1737,1744,1737,1747,1737,1750,1753],{},"14 instances — SPA fallback returns ",[169,1731,1732],{},"text\u002Fhtml"," for unknown paths (including cloud metadata probe paths like ",[169,1735,1736],{},"\u002FcomputeMetadata\u002Fv1\u002F",", ",[169,1739,1740],{},"\u002Flatest\u002Fmeta-data\u002F",[169,1742,1743],{},"\u002Fmetadata\u002Finstance",[169,1745,1746],{},"\u002Fmetadata\u002Fv1",[169,1748,1749],{},"\u002Fopc\u002Fv1\u002Finstance\u002F",[169,1751,1752],{},"\u002Fopc\u002Fv2\u002Finstance\u002F","). This is expected behavior: Vue Router handles client-side routing, so the server returns the SPA shell for any unrecognized path. Not a security issue.",[179,1755,1757],{"id":1756},"informational-alerts-no-action-required","Informational Alerts (No Action Required)",[184,1759,1760,1776],{},[187,1761,1762],{},[190,1763,1764,1767,1770,1773],{},[193,1765,1766],{},"Alert",[193,1768,1769],{},"Risk Level",[193,1771,1772],{},"Instances",[193,1774,1775],{},"Notes",[200,1777,1778,1792],{},[190,1779,1780,1783,1786,1789],{},[205,1781,1782],{},"Client Error response code (401)",[205,1784,1785],{},"Informational",[205,1787,1788],{},"5",[205,1790,1791],{},"Expected — unauthenticated API requests correctly return 401 Unauthorized",[190,1793,1794,1797,1799,1801],{},[205,1795,1796],{},"Non-Storable Content",[205,1798,1785],{},[205,1800,229],{},[205,1802,1803],{},"401 responses are correctly non-cacheable",[179,1805,1807],{"id":1806},"how-to-reproduce","How to Reproduce",[1809,1810,1815],"pre",{"className":1811,"code":1812,"language":1813,"meta":1814,"style":1814},"language-bash shiki shiki-themes material-theme-lighter material-theme material-theme-palenight","# Start Capacitarr\nmake build\n\n# Run ZAP API scan\nmake security:zap\n\n# Reports generated:\n#   zap-report.html  — full HTML report\n#   zap-report.md    — markdown summary\n","bash","",[169,1816,1817,1825,1835,1841,1846,1853,1857,1863,1869],{"__ignoreMap":1814},[1818,1819,1821],"span",{"class":1820,"line":17},"line",[1818,1822,1824],{"class":1823},"sHwdD","# Start Capacitarr\n",[1818,1826,1827,1831],{"class":1820,"line":22},[1818,1828,1830],{"class":1829},"sBMFI","make",[1818,1832,1834],{"class":1833},"sfazB"," build\n",[1818,1836,1837],{"class":1820,"line":27},[1818,1838,1840],{"emptyLinePlaceholder":1839},true,"\n",[1818,1842,1843],{"class":1820,"line":53},[1818,1844,1845],{"class":1823},"# Run ZAP API scan\n",[1818,1847,1848,1850],{"class":1820,"line":116},[1818,1849,1830],{"class":1829},[1818,1851,1852],{"class":1833}," security:zap\n",[1818,1854,1855],{"class":1820,"line":66},[1818,1856,1840],{"emptyLinePlaceholder":1839},[1818,1858,1860],{"class":1820,"line":1859},7,[1818,1861,1862],{"class":1823},"# Reports generated:\n",[1818,1864,1866],{"class":1820,"line":1865},8,[1818,1867,1868],{"class":1823},"#   zap-report.html  — full HTML report\n",[1818,1870,1872],{"class":1820,"line":1871},9,[1818,1873,1874],{"class":1823},"#   zap-report.md    — markdown summary\n",[1876,1877,1878],"style",{},"html pre.shiki code .sHwdD, html code.shiki .sHwdD{--shiki-light:#90A4AE;--shiki-light-font-style:italic;--shiki-default:#546E7A;--shiki-default-font-style:italic;--shiki-dark:#676E95;--shiki-dark-font-style:italic}html pre.shiki code .sBMFI, html code.shiki .sBMFI{--shiki-light:#E2931D;--shiki-default:#FFCB6B;--shiki-dark:#FFCB6B}html pre.shiki code .sfazB, html code.shiki .sfazB{--shiki-light:#91B859;--shiki-default:#C3E88D;--shiki-dark:#C3E88D}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}",{"title":1814,"searchDepth":17,"depth":22,"links":1880},[1881,1882,1890,1900,1901,1902],{"id":181,"depth":22,"text":182},{"id":245,"depth":22,"text":246,"children":1883},[1884,1885,1886,1887,1888,1889],{"id":250,"depth":27,"text":251},{"id":442,"depth":27,"text":443},{"id":580,"depth":27,"text":581},{"id":678,"depth":27,"text":679},{"id":746,"depth":27,"text":747},{"id":814,"depth":27,"text":815},{"id":1020,"depth":22,"text":1021,"children":1891},[1892,1893,1894,1895,1896,1897,1898,1899],{"id":1024,"depth":27,"text":1025},{"id":1132,"depth":27,"text":1133},{"id":1200,"depth":27,"text":1201},{"id":1268,"depth":27,"text":1269},{"id":1346,"depth":27,"text":1347},{"id":1414,"depth":27,"text":747},{"id":1461,"depth":27,"text":1462},{"id":1519,"depth":27,"text":1520},{"id":1697,"depth":22,"text":1698},{"id":1756,"depth":22,"text":1757},{"id":1806,"depth":22,"text":1807},"Date: 2026-03-16\nTool: OWASP ZAP (ghcr.io\u002Fzaproxy\u002Fzaproxy:stable)\nScan type: API Scan with OpenAPI specification\nTarget: http:\u002F\u002Flocalhost:2187\u002Fapi\u002Fv1\u002FOpenAPI spec: docs\u002Fapi\u002Fopenapi.yaml","md",null,{},{"order":27},{"title":128,"description":1903},"aCrQWzuzWl1rtUZTuIEd9GHUvoc-b0_KPqM8OOkHOoI",[1911,1913],{"title":128,"path":129,"stem":130,"description":1912,"order":22,"children":-1},"Date: 2026-03-10\nTool: OWASP ZAP (ghcr.io\u002Fzaproxy\u002Fzaproxy:stable)\nScan type: API Scan with OpenAPI specification\nTarget: http:\u002F\u002Flocalhost:2187\u002Fapi\u002Fv1\u002FOpenAPI spec: docs\u002Fapi\u002Fopenapi.yaml",{"title":128,"path":135,"stem":136,"description":1914,"order":53,"children":-1},"Date: 2026-03-23\nTool: OWASP ZAP (ghcr.io\u002Fzaproxy\u002Fzaproxy:stable)\nScan type: API Scan with OpenAPI specification\nTarget: http:\u002F\u002Flocalhost:2187\u002Fapi\u002Fv1\u002FOpenAPI spec: docs\u002Fapi\u002Fopenapi.yaml",1776649616130]