[{"data":1,"prerenderedAt":1996},["ShallowReactive",2],{"navigation":3,"\u002Fdocs\u002Fsecurity\u002Fzap-baseline-20260324":143,"\u002Fdocs\u002Fsecurity\u002Fzap-baseline-20260324-surround":1991},[4],{"title":5,"path":6,"stem":7,"children":8,"page":32},"Docs","\u002Fdocs","docs",[9,33,58,79,112,117],{"title":10,"path":11,"stem":12,"children":13,"page":32},"Getting Started","\u002Fdocs\u002Fgetting-started","docs\u002Fgetting-started",[14,18,23,28],{"title":10,"path":15,"stem":16,"order":17},"\u002Fdocs\u002Fgetting-started\u002F_dir","docs\u002Fgetting-started\u002F_dir",1,{"title":19,"path":20,"stem":21,"order":22},"Configuration Reference","\u002Fdocs\u002Fgetting-started\u002Fconfiguration","docs\u002Fgetting-started\u002Fconfiguration",2,{"title":24,"path":25,"stem":26,"order":27},"Deployment Guide","\u002Fdocs\u002Fgetting-started\u002Fdeployment","docs\u002Fgetting-started\u002Fdeployment",3,{"title":29,"path":30,"stem":31,"order":17},"Quick Start","\u002Fdocs\u002Fgetting-started\u002Fquick-start","docs\u002Fgetting-started\u002Fquick-start",false,{"title":34,"path":35,"stem":36,"children":37,"page":32},"Guides","\u002Fdocs\u002Fguides","docs\u002Fguides",[38,41,45,49,54],{"title":34,"path":39,"stem":40,"order":22},"\u002Fdocs\u002Fguides\u002F_dir","docs\u002Fguides\u002F_dir",{"title":42,"path":43,"stem":44,"order":22},"Notifications","\u002Fdocs\u002Fguides\u002Fnotifications","docs\u002Fguides\u002Fnotifications",{"title":46,"path":47,"stem":48,"order":17},"Scoring Algorithm","\u002Fdocs\u002Fguides\u002Fscoring","docs\u002Fguides\u002Fscoring",{"title":50,"path":51,"stem":52,"order":53},"Sunset Mode","\u002Fdocs\u002Fguides\u002Fsunset-mode","docs\u002Fguides\u002Fsunset-mode",4,{"title":55,"path":56,"stem":57,"order":27},"Troubleshooting","\u002Fdocs\u002Fguides\u002Ftroubleshooting","docs\u002Fguides\u002Ftroubleshooting",{"title":59,"path":60,"stem":61,"children":62,"page":32},"Project","\u002Fdocs\u002Fproject","docs\u002Fproject",[63,67,71,75],{"title":59,"path":64,"stem":65,"order":66},"\u002Fdocs\u002Fproject\u002F_dir","docs\u002Fproject\u002F_dir",6,{"title":68,"path":69,"stem":70,"order":27},"Changelog","\u002Fdocs\u002Fproject\u002Fchangelog","docs\u002Fproject\u002Fchangelog",{"title":72,"path":73,"stem":74,"order":17},"Contributing","\u002Fdocs\u002Fproject\u002Fcontributing","docs\u002Fproject\u002Fcontributing",{"title":76,"path":77,"stem":78,"order":22},"Contributors","\u002Fdocs\u002Fproject\u002Fcontributors","docs\u002Fproject\u002Fcontributors",{"title":80,"path":81,"stem":82,"children":83,"page":32},"Reference","\u002Fdocs\u002Freference","docs\u002Freference",[84,87,108],{"title":80,"path":85,"stem":86,"order":27},"\u002Fdocs\u002Freference\u002F_dir","docs\u002Freference\u002F_dir",{"title":88,"path":89,"stem":90,"children":91,"page":32},"Api","\u002Fdocs\u002Freference\u002Fapi","docs\u002Freference\u002Fapi",[92,96,100,104],{"title":93,"path":94,"stem":95,"order":22},"API Reference","\u002Fdocs\u002Freference\u002Fapi\u002F_dir","docs\u002Freference\u002Fapi\u002F_dir",{"title":97,"path":98,"stem":99,"order":22},"API Examples","\u002Fdocs\u002Freference\u002Fapi\u002Fexamples","docs\u002Freference\u002Fapi\u002Fexamples",{"title":101,"path":102,"stem":103,"order":53},"API Versioning & Stability Guarantees","\u002Fdocs\u002Freference\u002Fapi\u002Fversioning","docs\u002Freference\u002Fapi\u002Fversioning",{"title":105,"path":106,"stem":107,"order":27},"Common Workflows","\u002Fdocs\u002Freference\u002Fapi\u002Fworkflows","docs\u002Freference\u002Fapi\u002Fworkflows",{"title":109,"path":110,"stem":111,"order":17},"Architecture","\u002Fdocs\u002Freference\u002Farchitecture","docs\u002Freference\u002Farchitecture",{"title":113,"path":114,"stem":115,"order":116},"Release Workflow","\u002Fdocs\u002Freleasing","docs\u002Freleasing",5,{"title":118,"path":119,"stem":120,"children":121,"order":17},"Security Policy","\u002Fdocs\u002Fsecurity","docs\u002Fsecurity\u002Findex",[122,123,127,131,134,137,140],{"title":118,"path":119,"stem":120,"order":17},{"title":124,"path":125,"stem":126,"order":53},"Security","\u002Fdocs\u002Fsecurity\u002F_dir","docs\u002Fsecurity\u002F_dir",{"title":128,"path":129,"stem":130,"order":22},"OWASP ZAP API Scan — Baseline Report","\u002Fdocs\u002Fsecurity\u002Fzap-baseline-20260310","docs\u002Fsecurity\u002Fzap-baseline-20260310",{"title":128,"path":132,"stem":133,"order":27},"\u002Fdocs\u002Fsecurity\u002Fzap-baseline-20260316","docs\u002Fsecurity\u002Fzap-baseline-20260316",{"title":128,"path":135,"stem":136,"order":53},"\u002Fdocs\u002Fsecurity\u002Fzap-baseline-20260323","docs\u002Fsecurity\u002Fzap-baseline-20260323",{"title":128,"path":138,"stem":139,"order":116},"\u002Fdocs\u002Fsecurity\u002Fzap-baseline-20260324","docs\u002Fsecurity\u002Fzap-baseline-20260324",{"title":128,"path":141,"stem":142},"\u002Fdocs\u002Fsecurity\u002Fzap-baseline-20260406","docs\u002Fsecurity\u002Fzap-baseline-20260406",{"id":144,"title":128,"body":145,"description":1984,"extension":1985,"links":1986,"meta":1987,"navigation":1988,"path":138,"seo":1989,"stem":139,"__hash__":1990},"docs\u002Fdocs\u002Fsecurity\u002Fzap-baseline-20260324.md",{"type":146,"value":147,"toc":1959},"minimark",[148,182,187,245,248,252,257,445,449,583,587,681,685,749,753,817,821,1013,1017,1021,1125,1129,1193,1197,1261,1265,1339,1343,1407,1410,1454,1458,1512,1516,1690,1694,1749,1753,1803,1807,1881,1884,1888,1955],[149,150,151,155,156,159,160,163,164,167,168,172,167,175,178,181],"p",{},[152,153,154],"strong",{},"Date:"," 2026-03-24\n",[152,157,158],{},"Tool:"," OWASP ZAP (ghcr.io\u002Fzaproxy\u002Fzaproxy:stable)\n",[152,161,162],{},"Scan type:"," API Scan with OpenAPI specification\n",[152,165,166],{},"Target:"," ",[169,170,171],"code",{},"http:\u002F\u002Flocalhost:2187\u002Fapi\u002Fv1\u002F",[152,173,174],{},"OpenAPI spec:",[169,176,177],{},"docs\u002Fapi\u002Fopenapi.yaml",[152,179,180],{},"Context:"," Pre-release security scan for v2.0.0",[183,184,186],"h2",{"id":185},"summary","Summary",[188,189,190,203],"table",{},[191,192,193],"thead",{},[194,195,196,200],"tr",{},[197,198,199],"th",{},"Category",[197,201,202],{},"Count",[204,205,206,215,225,235],"tbody",{},[194,207,208,212],{},[209,210,211],"td",{},"Total scan rules tested",[209,213,214],{},"119",[194,216,217,222],{},[209,218,219],{},[152,220,221],{},"PASS",[209,223,224],{},"118",[194,226,227,232],{},[209,228,229],{},[152,230,231],{},"WARN",[209,233,234],{},"1",[194,236,237,242],{},[209,238,239],{},[152,240,241],{},"FAIL",[209,243,244],{},"0",[149,246,247],{},"Of the 119 rules, 53 are active scan rules (attack simulation) and 66 are passive scan rules (observation-based analysis).",[183,249,251],{"id":250},"passive-scan-results","Passive Scan Results",[253,254,256],"h3",{"id":255},"security-headers-configuration","Security Headers & Configuration",[188,258,259,272],{},[191,260,261],{},[194,262,263,266,269],{},[197,264,265],{},"Rule ID",[197,267,268],{},"Test",[197,270,271],{},"Result",[204,273,274,285,295,305,315,325,335,345,355,365,375,385,395,405,415,425,435],{},[194,275,276,279,282],{},[209,277,278],{},"10010",[209,280,281],{},"Cookie No HttpOnly Flag",[209,283,284],{},"✅ PASS",[194,286,287,290,293],{},[209,288,289],{},"10011",[209,291,292],{},"Cookie Without Secure Flag",[209,294,284],{},[194,296,297,300,303],{},[209,298,299],{},"10015",[209,301,302],{},"Re-examine Cache-control Directives",[209,304,284],{},[194,306,307,310,313],{},[209,308,309],{},"10019",[209,311,312],{},"Content-Type Header Missing",[209,314,284],{},[194,316,317,320,323],{},[209,318,319],{},"10020",[209,321,322],{},"Anti-clickjacking Header",[209,324,284],{},[194,326,327,330,333],{},[209,328,329],{},"10021",[209,331,332],{},"X-Content-Type-Options Header Missing",[209,334,284],{},[194,336,337,340,343],{},[209,338,339],{},"10035",[209,341,342],{},"Strict-Transport-Security Header",[209,344,284],{},[194,346,347,350,353],{},[209,348,349],{},"10036",[209,351,352],{},"HTTP Server Response Header",[209,354,284],{},[194,356,357,360,363],{},[209,358,359],{},"10037",[209,361,362],{},"Server Leaks Information via \"X-Powered-By\"",[209,364,284],{},[194,366,367,370,373],{},[209,368,369],{},"10038",[209,371,372],{},"Content Security Policy (CSP) Header Not Set",[209,374,284],{},[194,376,377,380,383],{},[209,378,379],{},"10039",[209,381,382],{},"X-Backend-Server Header Information Leak",[209,384,284],{},[194,386,387,390,393],{},[209,388,389],{},"10054",[209,391,392],{},"Cookie without SameSite Attribute",[209,394,284],{},[194,396,397,400,403],{},[209,398,399],{},"10055",[209,401,402],{},"CSP",[209,404,284],{},[194,406,407,410,413],{},[209,408,409],{},"10056",[209,411,412],{},"X-Debug-Token Information Leak",[209,414,284],{},[194,416,417,420,423],{},[209,418,419],{},"10061",[209,421,422],{},"X-AspNet-Version Response Header",[209,424,284],{},[194,426,427,430,433],{},[209,428,429],{},"10063",[209,431,432],{},"Permissions Policy Header Not Set",[209,434,284],{},[194,436,437,440,443],{},[209,438,439],{},"10098",[209,441,442],{},"Cross-Domain Misconfiguration",[209,444,284],{},[253,446,448],{"id":447},"information-disclosure","Information Disclosure",[188,450,451,461],{},[191,452,453],{},[194,454,455,457,459],{},[197,456,265],{},[197,458,268],{},[197,460,271],{},[204,462,463,473,483,493,503,513,523,533,543,553,563,573],{},[194,464,465,468,471],{},[209,466,467],{},"10009",[209,469,470],{},"In Page Banner Information Leak",[209,472,284],{},[194,474,475,478,481],{},[209,476,477],{},"10023",[209,479,480],{},"Information Disclosure — Debug Error Messages",[209,482,284],{},[194,484,485,488,491],{},[209,486,487],{},"10024",[209,489,490],{},"Information Disclosure — Sensitive Information in URL",[209,492,284],{},[194,494,495,498,501],{},[209,496,497],{},"10025",[209,499,500],{},"Information Disclosure — Sensitive Information in HTTP Referrer Header",[209,502,284],{},[194,504,505,508,511],{},[209,506,507],{},"10027",[209,509,510],{},"Information Disclosure — Suspicious Comments",[209,512,284],{},[194,514,515,518,521],{},[209,516,517],{},"10052",[209,519,520],{},"X-ChromeLogger-Data (XCOLD) Header Information Leak",[209,522,284],{},[194,524,525,528,531],{},[209,526,527],{},"10057",[209,529,530],{},"Username Hash Found",[209,532,284],{},[194,534,535,538,541],{},[209,536,537],{},"10062",[209,539,540],{},"PII Disclosure",[209,542,284],{},[194,544,545,548,551],{},[209,546,547],{},"10096",[209,549,550],{},"Timestamp Disclosure",[209,552,284],{},[194,554,555,558,561],{},[209,556,557],{},"10097",[209,559,560],{},"Hash Disclosure",[209,562,284],{},[194,564,565,568,571],{},[209,566,567],{},"10099",[209,569,570],{},"Source Code Disclosure",[209,572,284],{},[194,574,575,578,581],{},[209,576,577],{},"2",[209,579,580],{},"Private IP Disclosure",[209,582,284],{},[253,584,586],{"id":585},"cross-site-redirect-attacks","Cross-Site & Redirect Attacks",[188,588,589,599],{},[191,590,591],{},[194,592,593,595,597],{},[197,594,265],{},[197,596,268],{},[197,598,271],{},[204,600,601,611,621,631,641,651,661,671],{},[194,602,603,606,609],{},[209,604,605],{},"10017",[209,607,608],{},"Cross-Domain JavaScript Source File Inclusion",[209,610,284],{},[194,612,613,616,619],{},[209,614,615],{},"10028",[209,617,618],{},"Off-site Redirect",[209,620,284],{},[194,622,623,626,629],{},[209,624,625],{},"10029",[209,627,628],{},"Cookie Poisoning",[209,630,284],{},[194,632,633,636,639],{},[209,634,635],{},"10030",[209,637,638],{},"User Controllable Charset",[209,640,284],{},[194,642,643,646,649],{},[209,644,645],{},"10031",[209,647,648],{},"User Controllable HTML Element Attribute (Potential XSS)",[209,650,284],{},[194,652,653,656,659],{},[209,654,655],{},"10043",[209,657,658],{},"User Controllable JavaScript Event (XSS)",[209,660,284],{},[194,662,663,666,669],{},[209,664,665],{},"10044",[209,667,668],{},"Big Redirect Detected (Potential Sensitive Information Leak)",[209,670,284],{},[194,672,673,676,679],{},[209,674,675],{},"10108",[209,677,678],{},"Reverse Tabnabbing",[209,680,284],{},[253,682,684],{"id":683},"transport-security","Transport Security",[188,686,687,697],{},[191,688,689],{},[194,690,691,693,695],{},[197,692,265],{},[197,694,268],{},[197,696,271],{},[204,698,699,709,719,729,739],{},[194,700,701,704,707],{},[209,702,703],{},"10040",[209,705,706],{},"Secure Pages Include Mixed Content",[209,708,284],{},[194,710,711,714,717],{},[209,712,713],{},"10041",[209,715,716],{},"HTTP to HTTPS Insecure Transition in Form Post",[209,718,284],{},[194,720,721,724,727],{},[209,722,723],{},"10042",[209,725,726],{},"HTTPS to HTTP Insecure Transition in Form Post",[209,728,284],{},[194,730,731,734,737],{},[209,732,733],{},"10047",[209,735,736],{},"HTTPS Content Available via HTTP",[209,738,284],{},[194,740,741,744,747],{},[209,742,743],{},"10106",[209,745,746],{},"HTTP Only Site",[209,748,284],{},[253,750,752],{"id":751},"authentication-session","Authentication & Session",[188,754,755,765],{},[191,756,757],{},[194,758,759,761,763],{},[197,760,265],{},[197,762,268],{},[197,764,271],{},[204,766,767,777,787,797,807],{},[194,768,769,772,775],{},[209,770,771],{},"10105",[209,773,774],{},"Weak Authentication Method",[209,776,284],{},[194,778,779,782,785],{},[209,780,781],{},"10111",[209,783,784],{},"Authentication Request Identified",[209,786,284],{},[194,788,789,792,795],{},[209,790,791],{},"10112",[209,793,794],{},"Session Management Response Identified",[209,796,284],{},[194,798,799,802,805],{},[209,800,801],{},"10113",[209,803,804],{},"Verification Request Identified",[209,806,284],{},[194,808,809,812,815],{},[209,810,811],{},"10202",[209,813,814],{},"Absence of Anti-CSRF Tokens",[209,816,284],{},[253,818,820],{"id":819},"known-vulnerabilities-miscellaneous","Known Vulnerabilities & Miscellaneous",[188,822,823,833],{},[191,824,825],{},[194,826,827,829,831],{},[197,828,265],{},[197,830,268],{},[197,832,271],{},[204,834,835,844,854,864,874,883,893,903,913,923,933,943,953,963,973,983,993,1003],{},[194,836,837,839,842],{},[209,838,244],{},[209,840,841],{},"Directory Browsing",[209,843,284],{},[194,845,846,849,852],{},[209,847,848],{},"10003",[209,850,851],{},"Vulnerable JS Library (Powered by Retire.js)",[209,853,284],{},[194,855,856,859,862],{},[209,857,858],{},"10026",[209,860,861],{},"HTTP Parameter Override",[209,863,284],{},[194,865,866,869,872],{},[209,867,868],{},"10032",[209,870,871],{},"Viewstate",[209,873,284],{},[194,875,876,879,881],{},[209,877,878],{},"10033",[209,880,841],{},[209,882,284],{},[194,884,885,888,891],{},[209,886,887],{},"10034",[209,889,890],{},"Heartbleed OpenSSL Vulnerability (Indicative)",[209,892,284],{},[194,894,895,898,901],{},[209,896,897],{},"10045",[209,899,900],{},"Source Code Disclosure — \u002FWEB-INF Folder",[209,902,284],{},[194,904,905,908,911],{},[209,906,907],{},"10048",[209,909,910],{},"Remote Code Execution — Shell Shock",[209,912,284],{},[194,914,915,918,921],{},[209,916,917],{},"10049",[209,919,920],{},"Content Cacheability",[209,922,284],{},[194,924,925,928,931],{},[209,926,927],{},"10050",[209,929,930],{},"Retrieved from Cache",[209,932,284],{},[194,934,935,938,941],{},[209,936,937],{},"10058",[209,939,940],{},"GET for POST",[209,942,284],{},[194,944,945,948,951],{},[209,946,947],{},"10104",[209,949,950],{},"User Agent Fuzzer",[209,952,284],{},[194,954,955,958,961],{},[209,956,957],{},"10109",[209,959,960],{},"Modern Web Application",[209,962,284],{},[194,964,965,968,971],{},[209,966,967],{},"10110",[209,969,970],{},"Dangerous JS Functions",[209,972,284],{},[194,974,975,978,981],{},[209,976,977],{},"10115",[209,979,980],{},"Script Served From Malicious Domain (polyfill)",[209,982,284],{},[194,984,985,988,991],{},[209,986,987],{},"10116",[209,989,990],{},"ZAP is Out of Date",[209,992,284],{},[194,994,995,998,1001],{},[209,996,997],{},"20015",[209,999,1000],{},"Heartbleed OpenSSL Vulnerability",[209,1002,284],{},[194,1004,1005,1008,1011],{},[209,1006,1007],{},"20017",[209,1009,1010],{},"Source Code Disclosure — CVE-2012-1823",[209,1012,284],{},[183,1014,1016],{"id":1015},"active-scan-results","Active Scan Results",[253,1018,1020],{"id":1019},"injection-attacks","Injection Attacks",[188,1022,1023,1033],{},[191,1024,1025],{},[194,1026,1027,1029,1031],{},[197,1028,265],{},[197,1030,268],{},[197,1032,271],{},[204,1034,1035,1045,1055,1065,1075,1085,1095,1105,1115],{},[194,1036,1037,1040,1043],{},[209,1038,1039],{},"40018",[209,1041,1042],{},"SQL Injection (Generic)",[209,1044,284],{},[194,1046,1047,1050,1053],{},[209,1048,1049],{},"40019",[209,1051,1052],{},"SQL Injection — MySQL (Time Based)",[209,1054,284],{},[194,1056,1057,1060,1063],{},[209,1058,1059],{},"40020",[209,1061,1062],{},"SQL Injection — Hypersonic SQL (Time Based)",[209,1064,284],{},[194,1066,1067,1070,1073],{},[209,1068,1069],{},"40021",[209,1071,1072],{},"SQL Injection — Oracle (Time Based)",[209,1074,284],{},[194,1076,1077,1080,1083],{},[209,1078,1079],{},"40022",[209,1081,1082],{},"SQL Injection — PostgreSQL (Time Based)",[209,1084,284],{},[194,1086,1087,1090,1093],{},[209,1088,1089],{},"40027",[209,1091,1092],{},"SQL Injection — MsSQL (Time Based)",[209,1094,284],{},[194,1096,1097,1100,1103],{},[209,1098,1099],{},"90021",[209,1101,1102],{},"XPath Injection",[209,1104,284],{},[194,1106,1107,1110,1113],{},[209,1108,1109],{},"90029",[209,1111,1112],{},"SOAP XML Injection",[209,1114,284],{},[194,1116,1117,1120,1123],{},[209,1118,1119],{},"90017",[209,1121,1122],{},"XSLT Injection",[209,1124,284],{},[253,1126,1128],{"id":1127},"cross-site-scripting-xss","Cross-Site Scripting (XSS)",[188,1130,1131,1141],{},[191,1132,1133],{},[194,1134,1135,1137,1139],{},[197,1136,265],{},[197,1138,268],{},[197,1140,271],{},[204,1142,1143,1153,1163,1173,1183],{},[194,1144,1145,1148,1151],{},[209,1146,1147],{},"40012",[209,1149,1150],{},"Cross Site Scripting (Reflected)",[209,1152,284],{},[194,1154,1155,1158,1161],{},[209,1156,1157],{},"40014",[209,1159,1160],{},"Cross Site Scripting (Persistent)",[209,1162,284],{},[194,1164,1165,1168,1171],{},[209,1166,1167],{},"40016",[209,1169,1170],{},"Cross Site Scripting (Persistent) — Prime",[209,1172,284],{},[194,1174,1175,1178,1181],{},[209,1176,1177],{},"40017",[209,1179,1180],{},"Cross Site Scripting (Persistent) — Spider",[209,1182,284],{},[194,1184,1185,1188,1191],{},[209,1186,1187],{},"40026",[209,1189,1190],{},"Cross Site Scripting (DOM Based)",[209,1192,284],{},[253,1194,1196],{"id":1195},"remote-code-execution","Remote Code Execution",[188,1198,1199,1209],{},[191,1200,1201],{},[194,1202,1203,1205,1207],{},[197,1204,265],{},[197,1206,268],{},[197,1208,271],{},[204,1210,1211,1221,1231,1241,1251],{},[194,1212,1213,1216,1219],{},[209,1214,1215],{},"20018",[209,1217,1218],{},"Remote Code Execution — CVE-2012-1823",[209,1220,284],{},[194,1222,1223,1226,1229],{},[209,1224,1225],{},"40048",[209,1227,1228],{},"Remote Code Execution (React2Shell)",[209,1230,284],{},[194,1232,1233,1236,1239],{},[209,1234,1235],{},"90019",[209,1237,1238],{},"Server Side Code Injection",[209,1240,284],{},[194,1242,1243,1246,1249],{},[209,1244,1245],{},"90020",[209,1247,1248],{},"Remote OS Command Injection",[209,1250,284],{},[194,1252,1253,1256,1259],{},[209,1254,1255],{},"90037",[209,1257,1258],{},"Remote OS Command Injection (Time Based)",[209,1260,284],{},[253,1262,1264],{"id":1263},"server-side-attacks","Server-Side Attacks",[188,1266,1267,1277],{},[191,1268,1269],{},[194,1270,1271,1273,1275],{},[197,1272,265],{},[197,1274,268],{},[197,1276,271],{},[204,1278,1279,1289,1299,1309,1319,1329],{},[194,1280,1281,1284,1287],{},[209,1282,1283],{},"90023",[209,1285,1286],{},"XML External Entity Attack",[209,1288,284],{},[194,1290,1291,1294,1297],{},[209,1292,1293],{},"40009",[209,1295,1296],{},"Server Side Include",[209,1298,284],{},[194,1300,1301,1304,1307],{},[209,1302,1303],{},"90035",[209,1305,1306],{},"Server Side Template Injection",[209,1308,284],{},[194,1310,1311,1314,1317],{},[209,1312,1313],{},"90036",[209,1315,1316],{},"Server Side Template Injection (Blind)",[209,1318,284],{},[194,1320,1321,1324,1327],{},[209,1322,1323],{},"90026",[209,1325,1326],{},"SOAP Action Spoofing",[209,1328,284],{},[194,1330,1331,1334,1337],{},[209,1332,1333],{},"40044",[209,1335,1336],{},"Exponential Entity Expansion (Billion Laughs)",[209,1338,284],{},[253,1340,1342],{"id":1341},"path-file-attacks","Path & File Attacks",[188,1344,1345,1355],{},[191,1346,1347],{},[194,1348,1349,1351,1353],{},[197,1350,265],{},[197,1352,268],{},[197,1354,271],{},[204,1356,1357,1367,1377,1387,1397],{},[194,1358,1359,1362,1365],{},[209,1360,1361],{},"6",[209,1363,1364],{},"Path Traversal",[209,1366,284],{},[194,1368,1369,1372,1375],{},[209,1370,1371],{},"7",[209,1373,1374],{},"Remote File Inclusion",[209,1376,284],{},[194,1378,1379,1382,1385],{},[209,1380,1381],{},"40032",[209,1383,1384],{},".htaccess Information Leak",[209,1386,284],{},[194,1388,1389,1392,1395],{},[209,1390,1391],{},"40034",[209,1393,1394],{},".env Information Leak",[209,1396,284],{},[194,1398,1399,1402,1405],{},[209,1400,1401],{},"40035",[209,1403,1404],{},"Hidden File Finder",[209,1406,284],{},[253,1408,752],{"id":1409},"authentication-session-1",[188,1411,1412,1422],{},[191,1413,1414],{},[194,1415,1416,1418,1420],{},[197,1417,265],{},[197,1419,268],{},[197,1421,271],{},[204,1423,1424,1434,1444],{},[194,1425,1426,1429,1432],{},[209,1427,1428],{},"3",[209,1430,1431],{},"Session ID in URL Rewrite",[209,1433,284],{},[194,1435,1436,1439,1442],{},[209,1437,1438],{},"20019",[209,1440,1441],{},"External Redirect",[209,1443,284],{},[194,1445,1446,1449,1452],{},[209,1447,1448],{},"90033",[209,1450,1451],{},"Loosely Scoped Cookie",[209,1453,284],{},[253,1455,1457],{"id":1456},"known-cves","Known CVEs",[188,1459,1460,1470],{},[191,1461,1462],{},[194,1463,1464,1466,1468],{},[197,1465,265],{},[197,1467,268],{},[197,1469,271],{},[204,1471,1472,1482,1492,1502],{},[194,1473,1474,1477,1480],{},[209,1475,1476],{},"40043",[209,1478,1479],{},"Log4Shell",[209,1481,284],{},[194,1483,1484,1487,1490],{},[209,1485,1486],{},"40045",[209,1488,1489],{},"Spring4Shell",[209,1491,284],{},[194,1493,1494,1497,1500],{},[209,1495,1496],{},"90001",[209,1498,1499],{},"Insecure JSF ViewState",[209,1501,284],{},[194,1503,1504,1507,1510],{},[209,1505,1506],{},"90002",[209,1508,1509],{},"Java Serialization Object",[209,1511,284],{},[253,1513,1515],{"id":1514},"infrastructure","Infrastructure",[188,1517,1518,1528],{},[191,1519,1520],{},[194,1521,1522,1524,1526],{},[197,1523,265],{},[197,1525,268],{},[197,1527,271],{},[204,1529,1530,1540,1550,1560,1570,1580,1590,1600,1610,1620,1630,1640,1650,1660,1670,1680],{},[194,1531,1532,1535,1538],{},[209,1533,1534],{},"30001",[209,1536,1537],{},"Buffer Overflow",[209,1539,284],{},[194,1541,1542,1545,1548],{},[209,1543,1544],{},"30002",[209,1546,1547],{},"Format String Error",[209,1549,284],{},[194,1551,1552,1555,1558],{},[209,1553,1554],{},"40003",[209,1556,1557],{},"CRLF Injection",[209,1559,284],{},[194,1561,1562,1565,1568],{},[209,1563,1564],{},"40008",[209,1566,1567],{},"Parameter Tampering",[209,1569,284],{},[194,1571,1572,1575,1578],{},[209,1573,1574],{},"40028",[209,1576,1577],{},"ELMAH Information Leak",[209,1579,284],{},[194,1581,1582,1585,1588],{},[209,1583,1584],{},"40029",[209,1586,1587],{},"Trace.axd Information Leak",[209,1589,284],{},[194,1591,1592,1595,1598],{},[209,1593,1594],{},"40042",[209,1596,1597],{},"Spring Actuator Information Leak",[209,1599,284],{},[194,1601,1602,1605,1608],{},[209,1603,1604],{},"90004",[209,1606,1607],{},"Insufficient Site Isolation Against Spectre",[209,1609,284],{},[194,1611,1612,1615,1618],{},[209,1613,1614],{},"90011",[209,1616,1617],{},"Charset Mismatch",[209,1619,284],{},[194,1621,1622,1625,1628],{},[209,1623,1624],{},"90022",[209,1626,1627],{},"Application Error Disclosure",[209,1629,284],{},[194,1631,1632,1635,1638],{},[209,1633,1634],{},"90024",[209,1636,1637],{},"Generic Padding Oracle",[209,1639,284],{},[194,1641,1642,1645,1648],{},[209,1643,1644],{},"90030",[209,1646,1647],{},"WSDL File Detection",[209,1649,284],{},[194,1651,1652,1655,1658],{},[209,1653,1654],{},"90034",[209,1656,1657],{},"Cloud Metadata Potentially Exposed",[209,1659,284],{},[194,1661,1662,1665,1668],{},[209,1663,1664],{},"90003",[209,1666,1667],{},"Sub Resource Integrity Attribute Missing",[209,1669,284],{},[194,1671,1672,1675,1678],{},[209,1673,1674],{},"50000",[209,1676,1677],{},"Script Active Scan Rules",[209,1679,284],{},[194,1681,1682,1685,1688],{},[209,1683,1684],{},"50001",[209,1686,1687],{},"Script Passive Scan Rules",[209,1689,284],{},[183,1691,1693],{"id":1692},"warnings","Warnings",[188,1695,1696,1709],{},[191,1697,1698],{},[194,1699,1700,1702,1704,1706],{},[197,1701,265],{},[197,1703,268],{},[197,1705,271],{},[197,1707,1708],{},"Details",[204,1710,1711],{},[194,1712,1713,1716,1719,1722],{},[209,1714,1715],{},"100001",[209,1717,1718],{},"Unexpected Content-Type",[209,1720,1721],{},"⚠️ WARN",[209,1723,1724,1725,1728,1729,1732,1733,1732,1736,1732,1739,1732,1742,1732,1745,1748],{},"14 instances — SPA fallback returns ",[169,1726,1727],{},"text\u002Fhtml"," for unknown paths (including cloud metadata probe paths like ",[169,1730,1731],{},"\u002FcomputeMetadata\u002Fv1\u002F",", ",[169,1734,1735],{},"\u002Flatest\u002Fmeta-data\u002F",[169,1737,1738],{},"\u002Fmetadata\u002Finstance",[169,1740,1741],{},"\u002Fmetadata\u002Fv1",[169,1743,1744],{},"\u002Fopc\u002Fv1\u002Finstance\u002F",[169,1746,1747],{},"\u002Fopc\u002Fv2\u002Finstance\u002F","). This is expected behavior: Vue Router handles client-side routing, so the server returns the SPA shell for any unrecognized path. Not a security issue.",[183,1750,1752],{"id":1751},"informational-alerts-no-action-required","Informational Alerts (No Action Required)",[188,1754,1755,1771],{},[191,1756,1757],{},[194,1758,1759,1762,1765,1768],{},[197,1760,1761],{},"Alert",[197,1763,1764],{},"Risk Level",[197,1766,1767],{},"Instances",[197,1769,1770],{},"Notes",[204,1772,1773,1791],{},[194,1774,1775,1778,1781,1784],{},[209,1776,1777],{},"Client Error response code (401, 404)",[209,1779,1780],{},"Informational",[209,1782,1783],{},"5",[209,1785,1786,1787,1790],{},"Expected — unauthenticated API requests correctly return 401 Unauthorized; cloud metadata probe ",[169,1788,1789],{},"\u002Fopenstack\u002Flatest\u002Fmeta_data.json"," returns 404",[194,1792,1793,1796,1798,1800],{},[209,1794,1795],{},"Non-Storable Content",[209,1797,1780],{},[209,1799,234],{},[209,1801,1802],{},"401 responses are correctly non-cacheable",[183,1804,1806],{"id":1805},"comparison-with-previous-scan-2026-03-23","Comparison with Previous Scan (2026-03-23)",[188,1808,1809,1825],{},[191,1810,1811],{},[194,1812,1813,1816,1819,1822],{},[197,1814,1815],{},"Metric",[197,1817,1818],{},"2026-03-23",[197,1820,1821],{},"2026-03-24",[197,1823,1824],{},"Change",[204,1826,1827,1839,1849,1859,1869],{},[194,1828,1829,1832,1834,1836],{},[209,1830,1831],{},"Rules tested",[209,1833,214],{},[209,1835,214],{},[209,1837,1838],{},"No change",[194,1840,1841,1843,1845,1847],{},[209,1842,221],{},[209,1844,224],{},[209,1846,224],{},[209,1848,1838],{},[194,1850,1851,1853,1855,1857],{},[209,1852,231],{},[209,1854,234],{},[209,1856,234],{},[209,1858,1838],{},[194,1860,1861,1863,1865,1867],{},[209,1862,241],{},[209,1864,244],{},[209,1866,244],{},[209,1868,1838],{},[194,1870,1871,1874,1877,1879],{},[209,1872,1873],{},"Content-Type WARN instances",[209,1875,1876],{},"14",[209,1878,1876],{},[209,1880,1838],{},[149,1882,1883],{},"No new vulnerabilities, regressions, or security findings since the previous baseline. This scan serves as the final pre-release DAST baseline for v2.0.0.",[183,1885,1887],{"id":1886},"how-to-reproduce","How to Reproduce",[1889,1890,1895],"pre",{"className":1891,"code":1892,"language":1893,"meta":1894,"style":1894},"language-bash shiki shiki-themes material-theme-lighter material-theme material-theme-palenight","# Start Capacitarr\nmake build\n\n# Run ZAP API scan\nmake security:zap\n\n# Reports generated:\n#   zap-report.html  — full HTML report\n#   zap-report.md    — markdown summary\n","bash","",[169,1896,1897,1905,1915,1921,1926,1933,1937,1943,1949],{"__ignoreMap":1894},[1898,1899,1901],"span",{"class":1900,"line":17},"line",[1898,1902,1904],{"class":1903},"sHwdD","# Start Capacitarr\n",[1898,1906,1907,1911],{"class":1900,"line":22},[1898,1908,1910],{"class":1909},"sBMFI","make",[1898,1912,1914],{"class":1913},"sfazB"," build\n",[1898,1916,1917],{"class":1900,"line":27},[1898,1918,1920],{"emptyLinePlaceholder":1919},true,"\n",[1898,1922,1923],{"class":1900,"line":53},[1898,1924,1925],{"class":1903},"# Run ZAP API scan\n",[1898,1927,1928,1930],{"class":1900,"line":116},[1898,1929,1910],{"class":1909},[1898,1931,1932],{"class":1913}," security:zap\n",[1898,1934,1935],{"class":1900,"line":66},[1898,1936,1920],{"emptyLinePlaceholder":1919},[1898,1938,1940],{"class":1900,"line":1939},7,[1898,1941,1942],{"class":1903},"# Reports generated:\n",[1898,1944,1946],{"class":1900,"line":1945},8,[1898,1947,1948],{"class":1903},"#   zap-report.html  — full HTML report\n",[1898,1950,1952],{"class":1900,"line":1951},9,[1898,1953,1954],{"class":1903},"#   zap-report.md    — markdown summary\n",[1956,1957,1958],"style",{},"html pre.shiki code .sHwdD, html code.shiki .sHwdD{--shiki-light:#90A4AE;--shiki-light-font-style:italic;--shiki-default:#546E7A;--shiki-default-font-style:italic;--shiki-dark:#676E95;--shiki-dark-font-style:italic}html pre.shiki code .sBMFI, html code.shiki .sBMFI{--shiki-light:#E2931D;--shiki-default:#FFCB6B;--shiki-dark:#FFCB6B}html pre.shiki code .sfazB, html code.shiki .sfazB{--shiki-light:#91B859;--shiki-default:#C3E88D;--shiki-dark:#C3E88D}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}",{"title":1894,"searchDepth":17,"depth":22,"links":1960},[1961,1962,1970,1980,1981,1982,1983],{"id":185,"depth":22,"text":186},{"id":250,"depth":22,"text":251,"children":1963},[1964,1965,1966,1967,1968,1969],{"id":255,"depth":27,"text":256},{"id":447,"depth":27,"text":448},{"id":585,"depth":27,"text":586},{"id":683,"depth":27,"text":684},{"id":751,"depth":27,"text":752},{"id":819,"depth":27,"text":820},{"id":1015,"depth":22,"text":1016,"children":1971},[1972,1973,1974,1975,1976,1977,1978,1979],{"id":1019,"depth":27,"text":1020},{"id":1127,"depth":27,"text":1128},{"id":1195,"depth":27,"text":1196},{"id":1263,"depth":27,"text":1264},{"id":1341,"depth":27,"text":1342},{"id":1409,"depth":27,"text":752},{"id":1456,"depth":27,"text":1457},{"id":1514,"depth":27,"text":1515},{"id":1692,"depth":22,"text":1693},{"id":1751,"depth":22,"text":1752},{"id":1805,"depth":22,"text":1806},{"id":1886,"depth":22,"text":1887},"Date: 2026-03-24\nTool: OWASP ZAP (ghcr.io\u002Fzaproxy\u002Fzaproxy:stable)\nScan type: API Scan with OpenAPI specification\nTarget: http:\u002F\u002Flocalhost:2187\u002Fapi\u002Fv1\u002FOpenAPI spec: docs\u002Fapi\u002Fopenapi.yamlContext: Pre-release security scan for v2.0.0","md",null,{},{"order":116},{"title":128,"description":1984},"l2F0R5a7X0qnD1hqOQ3kJatKb7xWRVsPmMQUw4pSrLc",[1992,1994],{"title":128,"path":135,"stem":136,"description":1993,"order":53,"children":-1},"Date: 2026-03-23\nTool: OWASP ZAP (ghcr.io\u002Fzaproxy\u002Fzaproxy:stable)\nScan type: API Scan with OpenAPI specification\nTarget: http:\u002F\u002Flocalhost:2187\u002Fapi\u002Fv1\u002FOpenAPI spec: docs\u002Fapi\u002Fopenapi.yaml",{"title":128,"path":141,"stem":142,"description":1995,"children":-1},"Date: 2026-04-06\nTool: OWASP ZAP (ghcr.io\u002Fzaproxy\u002Fzaproxy:stable)\nScan type: API Scan with OpenAPI specification\nTarget: http:\u002F\u002Flocalhost:2187\u002Fapi\u002Fv1\u002FOpenAPI spec: docs\u002Freference\u002Fapi\u002Fopenapi.yamlContext: Pre-release security scan for v3.1.0",1776649616303]