[{"data":1,"prerenderedAt":1979},["ShallowReactive",2],{"navigation":3,"\u002Fdocs\u002Fsecurity\u002Fzap-baseline-20260406":143,"\u002Fdocs\u002Fsecurity\u002Fzap-baseline-20260406-surround":1976},[4],{"title":5,"path":6,"stem":7,"children":8,"page":32},"Docs","\u002Fdocs","docs",[9,33,58,79,112,117],{"title":10,"path":11,"stem":12,"children":13,"page":32},"Getting Started","\u002Fdocs\u002Fgetting-started","docs\u002Fgetting-started",[14,18,23,28],{"title":10,"path":15,"stem":16,"order":17},"\u002Fdocs\u002Fgetting-started\u002F_dir","docs\u002Fgetting-started\u002F_dir",1,{"title":19,"path":20,"stem":21,"order":22},"Configuration Reference","\u002Fdocs\u002Fgetting-started\u002Fconfiguration","docs\u002Fgetting-started\u002Fconfiguration",2,{"title":24,"path":25,"stem":26,"order":27},"Deployment Guide","\u002Fdocs\u002Fgetting-started\u002Fdeployment","docs\u002Fgetting-started\u002Fdeployment",3,{"title":29,"path":30,"stem":31,"order":17},"Quick Start","\u002Fdocs\u002Fgetting-started\u002Fquick-start","docs\u002Fgetting-started\u002Fquick-start",false,{"title":34,"path":35,"stem":36,"children":37,"page":32},"Guides","\u002Fdocs\u002Fguides","docs\u002Fguides",[38,41,45,49,54],{"title":34,"path":39,"stem":40,"order":22},"\u002Fdocs\u002Fguides\u002F_dir","docs\u002Fguides\u002F_dir",{"title":42,"path":43,"stem":44,"order":22},"Notifications","\u002Fdocs\u002Fguides\u002Fnotifications","docs\u002Fguides\u002Fnotifications",{"title":46,"path":47,"stem":48,"order":17},"Scoring Algorithm","\u002Fdocs\u002Fguides\u002Fscoring","docs\u002Fguides\u002Fscoring",{"title":50,"path":51,"stem":52,"order":53},"Sunset Mode","\u002Fdocs\u002Fguides\u002Fsunset-mode","docs\u002Fguides\u002Fsunset-mode",4,{"title":55,"path":56,"stem":57,"order":27},"Troubleshooting","\u002Fdocs\u002Fguides\u002Ftroubleshooting","docs\u002Fguides\u002Ftroubleshooting",{"title":59,"path":60,"stem":61,"children":62,"page":32},"Project","\u002Fdocs\u002Fproject","docs\u002Fproject",[63,67,71,75],{"title":59,"path":64,"stem":65,"order":66},"\u002Fdocs\u002Fproject\u002F_dir","docs\u002Fproject\u002F_dir",6,{"title":68,"path":69,"stem":70,"order":27},"Changelog","\u002Fdocs\u002Fproject\u002Fchangelog","docs\u002Fproject\u002Fchangelog",{"title":72,"path":73,"stem":74,"order":17},"Contributing","\u002Fdocs\u002Fproject\u002Fcontributing","docs\u002Fproject\u002Fcontributing",{"title":76,"path":77,"stem":78,"order":22},"Contributors","\u002Fdocs\u002Fproject\u002Fcontributors","docs\u002Fproject\u002Fcontributors",{"title":80,"path":81,"stem":82,"children":83,"page":32},"Reference","\u002Fdocs\u002Freference","docs\u002Freference",[84,87,108],{"title":80,"path":85,"stem":86,"order":27},"\u002Fdocs\u002Freference\u002F_dir","docs\u002Freference\u002F_dir",{"title":88,"path":89,"stem":90,"children":91,"page":32},"Api","\u002Fdocs\u002Freference\u002Fapi","docs\u002Freference\u002Fapi",[92,96,100,104],{"title":93,"path":94,"stem":95,"order":22},"API Reference","\u002Fdocs\u002Freference\u002Fapi\u002F_dir","docs\u002Freference\u002Fapi\u002F_dir",{"title":97,"path":98,"stem":99,"order":22},"API Examples","\u002Fdocs\u002Freference\u002Fapi\u002Fexamples","docs\u002Freference\u002Fapi\u002Fexamples",{"title":101,"path":102,"stem":103,"order":53},"API Versioning & Stability Guarantees","\u002Fdocs\u002Freference\u002Fapi\u002Fversioning","docs\u002Freference\u002Fapi\u002Fversioning",{"title":105,"path":106,"stem":107,"order":27},"Common Workflows","\u002Fdocs\u002Freference\u002Fapi\u002Fworkflows","docs\u002Freference\u002Fapi\u002Fworkflows",{"title":109,"path":110,"stem":111,"order":17},"Architecture","\u002Fdocs\u002Freference\u002Farchitecture","docs\u002Freference\u002Farchitecture",{"title":113,"path":114,"stem":115,"order":116},"Release Workflow","\u002Fdocs\u002Freleasing","docs\u002Freleasing",5,{"title":118,"path":119,"stem":120,"children":121,"order":17},"Security Policy","\u002Fdocs\u002Fsecurity","docs\u002Fsecurity\u002Findex",[122,123,127,131,134,137,140],{"title":118,"path":119,"stem":120,"order":17},{"title":124,"path":125,"stem":126,"order":53},"Security","\u002Fdocs\u002Fsecurity\u002F_dir","docs\u002Fsecurity\u002F_dir",{"title":128,"path":129,"stem":130,"order":22},"OWASP ZAP API Scan — Baseline Report","\u002Fdocs\u002Fsecurity\u002Fzap-baseline-20260310","docs\u002Fsecurity\u002Fzap-baseline-20260310",{"title":128,"path":132,"stem":133,"order":27},"\u002Fdocs\u002Fsecurity\u002Fzap-baseline-20260316","docs\u002Fsecurity\u002Fzap-baseline-20260316",{"title":128,"path":135,"stem":136,"order":53},"\u002Fdocs\u002Fsecurity\u002Fzap-baseline-20260323","docs\u002Fsecurity\u002Fzap-baseline-20260323",{"title":128,"path":138,"stem":139,"order":116},"\u002Fdocs\u002Fsecurity\u002Fzap-baseline-20260324","docs\u002Fsecurity\u002Fzap-baseline-20260324",{"title":128,"path":141,"stem":142},"\u002Fdocs\u002Fsecurity\u002Fzap-baseline-20260406","docs\u002Fsecurity\u002Fzap-baseline-20260406",{"id":144,"title":128,"body":145,"description":1970,"extension":1971,"links":1972,"meta":1973,"navigation":1904,"path":141,"seo":1974,"stem":142,"__hash__":1975},"docs\u002Fdocs\u002Fsecurity\u002Fzap-baseline-20260406.md",{"type":146,"value":147,"toc":1945},"minimark",[148,182,187,245,248,252,257,444,448,582,586,680,684,748,752,816,820,1012,1016,1020,1124,1128,1192,1196,1260,1264,1338,1342,1406,1409,1453,1457,1511,1515,1689,1693,1727,1731,1777,1781,1857,1860,1864,1941],[149,150,151,155,156,159,160,163,164,167,168,172,167,175,178,181],"p",{},[152,153,154],"strong",{},"Date:"," 2026-04-06\n",[152,157,158],{},"Tool:"," OWASP ZAP (ghcr.io\u002Fzaproxy\u002Fzaproxy:stable)\n",[152,161,162],{},"Scan type:"," API Scan with OpenAPI specification\n",[152,165,166],{},"Target:"," ",[169,170,171],"code",{},"http:\u002F\u002Flocalhost:2187\u002Fapi\u002Fv1\u002F",[152,173,174],{},"OpenAPI spec:",[169,176,177],{},"docs\u002Freference\u002Fapi\u002Fopenapi.yaml",[152,179,180],{},"Context:"," Pre-release security scan for v3.1.0",[183,184,186],"h2",{"id":185},"summary","Summary",[188,189,190,203],"table",{},[191,192,193],"thead",{},[194,195,196,200],"tr",{},[197,198,199],"th",{},"Category",[197,201,202],{},"Count",[204,205,206,215,225,235],"tbody",{},[194,207,208,212],{},[209,210,211],"td",{},"Total scan rules tested",[209,213,214],{},"119",[194,216,217,222],{},[209,218,219],{},[152,220,221],{},"PASS",[209,223,224],{},"118",[194,226,227,232],{},[209,228,229],{},[152,230,231],{},"WARN",[209,233,234],{},"1",[194,236,237,242],{},[209,238,239],{},[152,240,241],{},"FAIL",[209,243,244],{},"0",[149,246,247],{},"Of the 119 rules, 53 are active scan rules (attack simulation) and 66 are passive scan rules (observation-based analysis).",[183,249,251],{"id":250},"passive-scan-results","Passive Scan Results",[253,254,256],"h3",{"id":255},"security-headers-configuration","Security Headers & Configuration",[188,258,259,272],{},[191,260,261],{},[194,262,263,266,269],{},[197,264,265],{},"Rule ID",[197,267,268],{},"Test",[197,270,271],{},"Result",[204,273,274,284,294,304,314,324,334,344,354,364,374,384,394,404,414,424,434],{},[194,275,276,279,282],{},[209,277,278],{},"10010",[209,280,281],{},"Cookie No HttpOnly Flag",[209,283,221],{},[194,285,286,289,292],{},[209,287,288],{},"10011",[209,290,291],{},"Cookie Without Secure Flag",[209,293,221],{},[194,295,296,299,302],{},[209,297,298],{},"10015",[209,300,301],{},"Re-examine Cache-control Directives",[209,303,221],{},[194,305,306,309,312],{},[209,307,308],{},"10019",[209,310,311],{},"Content-Type Header Missing",[209,313,221],{},[194,315,316,319,322],{},[209,317,318],{},"10020",[209,320,321],{},"Anti-clickjacking Header",[209,323,221],{},[194,325,326,329,332],{},[209,327,328],{},"10021",[209,330,331],{},"X-Content-Type-Options Header Missing",[209,333,221],{},[194,335,336,339,342],{},[209,337,338],{},"10035",[209,340,341],{},"Strict-Transport-Security Header",[209,343,221],{},[194,345,346,349,352],{},[209,347,348],{},"10036",[209,350,351],{},"HTTP Server Response Header",[209,353,221],{},[194,355,356,359,362],{},[209,357,358],{},"10037",[209,360,361],{},"Server Leaks Information via \"X-Powered-By\"",[209,363,221],{},[194,365,366,369,372],{},[209,367,368],{},"10038",[209,370,371],{},"Content Security Policy (CSP) Header Not Set",[209,373,221],{},[194,375,376,379,382],{},[209,377,378],{},"10039",[209,380,381],{},"X-Backend-Server Header Information Leak",[209,383,221],{},[194,385,386,389,392],{},[209,387,388],{},"10054",[209,390,391],{},"Cookie without SameSite Attribute",[209,393,221],{},[194,395,396,399,402],{},[209,397,398],{},"10055",[209,400,401],{},"CSP",[209,403,221],{},[194,405,406,409,412],{},[209,407,408],{},"10056",[209,410,411],{},"X-Debug-Token Information Leak",[209,413,221],{},[194,415,416,419,422],{},[209,417,418],{},"10061",[209,420,421],{},"X-AspNet-Version Response Header",[209,423,221],{},[194,425,426,429,432],{},[209,427,428],{},"10063",[209,430,431],{},"Permissions Policy Header Not Set",[209,433,221],{},[194,435,436,439,442],{},[209,437,438],{},"10098",[209,440,441],{},"Cross-Domain Misconfiguration",[209,443,221],{},[253,445,447],{"id":446},"information-disclosure","Information Disclosure",[188,449,450,460],{},[191,451,452],{},[194,453,454,456,458],{},[197,455,265],{},[197,457,268],{},[197,459,271],{},[204,461,462,472,482,492,502,512,522,532,542,552,562,572],{},[194,463,464,467,470],{},[209,465,466],{},"10009",[209,468,469],{},"In Page Banner Information Leak",[209,471,221],{},[194,473,474,477,480],{},[209,475,476],{},"10023",[209,478,479],{},"Information Disclosure — Debug Error Messages",[209,481,221],{},[194,483,484,487,490],{},[209,485,486],{},"10024",[209,488,489],{},"Information Disclosure — Sensitive Information in URL",[209,491,221],{},[194,493,494,497,500],{},[209,495,496],{},"10025",[209,498,499],{},"Information Disclosure — Sensitive Information in HTTP Referrer Header",[209,501,221],{},[194,503,504,507,510],{},[209,505,506],{},"10027",[209,508,509],{},"Information Disclosure — Suspicious Comments",[209,511,221],{},[194,513,514,517,520],{},[209,515,516],{},"10052",[209,518,519],{},"X-ChromeLogger-Data (XCOLD) Header Information Leak",[209,521,221],{},[194,523,524,527,530],{},[209,525,526],{},"10057",[209,528,529],{},"Username Hash Found",[209,531,221],{},[194,533,534,537,540],{},[209,535,536],{},"10062",[209,538,539],{},"PII Disclosure",[209,541,221],{},[194,543,544,547,550],{},[209,545,546],{},"10096",[209,548,549],{},"Timestamp Disclosure",[209,551,221],{},[194,553,554,557,560],{},[209,555,556],{},"10097",[209,558,559],{},"Hash Disclosure",[209,561,221],{},[194,563,564,567,570],{},[209,565,566],{},"10099",[209,568,569],{},"Source Code Disclosure",[209,571,221],{},[194,573,574,577,580],{},[209,575,576],{},"2",[209,578,579],{},"Private IP Disclosure",[209,581,221],{},[253,583,585],{"id":584},"cross-site-redirect-attacks","Cross-Site & Redirect Attacks",[188,587,588,598],{},[191,589,590],{},[194,591,592,594,596],{},[197,593,265],{},[197,595,268],{},[197,597,271],{},[204,599,600,610,620,630,640,650,660,670],{},[194,601,602,605,608],{},[209,603,604],{},"10017",[209,606,607],{},"Cross-Domain JavaScript Source File Inclusion",[209,609,221],{},[194,611,612,615,618],{},[209,613,614],{},"10028",[209,616,617],{},"Off-site Redirect",[209,619,221],{},[194,621,622,625,628],{},[209,623,624],{},"10029",[209,626,627],{},"Cookie Poisoning",[209,629,221],{},[194,631,632,635,638],{},[209,633,634],{},"10030",[209,636,637],{},"User Controllable Charset",[209,639,221],{},[194,641,642,645,648],{},[209,643,644],{},"10031",[209,646,647],{},"User Controllable HTML Element Attribute (Potential XSS)",[209,649,221],{},[194,651,652,655,658],{},[209,653,654],{},"10043",[209,656,657],{},"User Controllable JavaScript Event (XSS)",[209,659,221],{},[194,661,662,665,668],{},[209,663,664],{},"10044",[209,666,667],{},"Big Redirect Detected (Potential Sensitive Information Leak)",[209,669,221],{},[194,671,672,675,678],{},[209,673,674],{},"10108",[209,676,677],{},"Reverse Tabnabbing",[209,679,221],{},[253,681,683],{"id":682},"transport-security","Transport Security",[188,685,686,696],{},[191,687,688],{},[194,689,690,692,694],{},[197,691,265],{},[197,693,268],{},[197,695,271],{},[204,697,698,708,718,728,738],{},[194,699,700,703,706],{},[209,701,702],{},"10040",[209,704,705],{},"Secure Pages Include Mixed Content",[209,707,221],{},[194,709,710,713,716],{},[209,711,712],{},"10041",[209,714,715],{},"HTTP to HTTPS Insecure Transition in Form Post",[209,717,221],{},[194,719,720,723,726],{},[209,721,722],{},"10042",[209,724,725],{},"HTTPS to HTTP Insecure Transition in Form Post",[209,727,221],{},[194,729,730,733,736],{},[209,731,732],{},"10047",[209,734,735],{},"HTTPS Content Available via HTTP",[209,737,221],{},[194,739,740,743,746],{},[209,741,742],{},"10106",[209,744,745],{},"HTTP Only Site",[209,747,221],{},[253,749,751],{"id":750},"authentication-session","Authentication & Session",[188,753,754,764],{},[191,755,756],{},[194,757,758,760,762],{},[197,759,265],{},[197,761,268],{},[197,763,271],{},[204,765,766,776,786,796,806],{},[194,767,768,771,774],{},[209,769,770],{},"10105",[209,772,773],{},"Weak Authentication Method",[209,775,221],{},[194,777,778,781,784],{},[209,779,780],{},"10111",[209,782,783],{},"Authentication Request Identified",[209,785,221],{},[194,787,788,791,794],{},[209,789,790],{},"10112",[209,792,793],{},"Session Management Response Identified",[209,795,221],{},[194,797,798,801,804],{},[209,799,800],{},"10113",[209,802,803],{},"Verification Request Identified",[209,805,221],{},[194,807,808,811,814],{},[209,809,810],{},"10202",[209,812,813],{},"Absence of Anti-CSRF Tokens",[209,815,221],{},[253,817,819],{"id":818},"known-vulnerabilities-miscellaneous","Known Vulnerabilities & Miscellaneous",[188,821,822,832],{},[191,823,824],{},[194,825,826,828,830],{},[197,827,265],{},[197,829,268],{},[197,831,271],{},[204,833,834,843,853,863,873,882,892,902,912,922,932,942,952,962,972,982,992,1002],{},[194,835,836,838,841],{},[209,837,244],{},[209,839,840],{},"Directory Browsing",[209,842,221],{},[194,844,845,848,851],{},[209,846,847],{},"10003",[209,849,850],{},"Vulnerable JS Library (Powered by Retire.js)",[209,852,221],{},[194,854,855,858,861],{},[209,856,857],{},"10026",[209,859,860],{},"HTTP Parameter Override",[209,862,221],{},[194,864,865,868,871],{},[209,866,867],{},"10032",[209,869,870],{},"Viewstate",[209,872,221],{},[194,874,875,878,880],{},[209,876,877],{},"10033",[209,879,840],{},[209,881,221],{},[194,883,884,887,890],{},[209,885,886],{},"10034",[209,888,889],{},"Heartbleed OpenSSL Vulnerability (Indicative)",[209,891,221],{},[194,893,894,897,900],{},[209,895,896],{},"10045",[209,898,899],{},"Source Code Disclosure — \u002FWEB-INF Folder",[209,901,221],{},[194,903,904,907,910],{},[209,905,906],{},"10048",[209,908,909],{},"Remote Code Execution — Shell Shock",[209,911,221],{},[194,913,914,917,920],{},[209,915,916],{},"10049",[209,918,919],{},"Content Cacheability",[209,921,221],{},[194,923,924,927,930],{},[209,925,926],{},"10050",[209,928,929],{},"Retrieved from Cache",[209,931,221],{},[194,933,934,937,940],{},[209,935,936],{},"10058",[209,938,939],{},"GET for POST",[209,941,221],{},[194,943,944,947,950],{},[209,945,946],{},"10104",[209,948,949],{},"User Agent Fuzzer",[209,951,221],{},[194,953,954,957,960],{},[209,955,956],{},"10109",[209,958,959],{},"Modern Web Application",[209,961,221],{},[194,963,964,967,970],{},[209,965,966],{},"10110",[209,968,969],{},"Dangerous JS Functions",[209,971,221],{},[194,973,974,977,980],{},[209,975,976],{},"10115",[209,978,979],{},"Script Served From Malicious Domain (polyfill)",[209,981,221],{},[194,983,984,987,990],{},[209,985,986],{},"10116",[209,988,989],{},"ZAP is Out of Date",[209,991,221],{},[194,993,994,997,1000],{},[209,995,996],{},"20015",[209,998,999],{},"Heartbleed OpenSSL Vulnerability",[209,1001,221],{},[194,1003,1004,1007,1010],{},[209,1005,1006],{},"20017",[209,1008,1009],{},"Source Code Disclosure — CVE-2012-1823",[209,1011,221],{},[183,1013,1015],{"id":1014},"active-scan-results","Active Scan Results",[253,1017,1019],{"id":1018},"injection-attacks","Injection Attacks",[188,1021,1022,1032],{},[191,1023,1024],{},[194,1025,1026,1028,1030],{},[197,1027,265],{},[197,1029,268],{},[197,1031,271],{},[204,1033,1034,1044,1054,1064,1074,1084,1094,1104,1114],{},[194,1035,1036,1039,1042],{},[209,1037,1038],{},"40018",[209,1040,1041],{},"SQL Injection (Generic)",[209,1043,221],{},[194,1045,1046,1049,1052],{},[209,1047,1048],{},"40019",[209,1050,1051],{},"SQL Injection — MySQL (Time Based)",[209,1053,221],{},[194,1055,1056,1059,1062],{},[209,1057,1058],{},"40020",[209,1060,1061],{},"SQL Injection — Hypersonic SQL (Time Based)",[209,1063,221],{},[194,1065,1066,1069,1072],{},[209,1067,1068],{},"40021",[209,1070,1071],{},"SQL Injection — Oracle (Time Based)",[209,1073,221],{},[194,1075,1076,1079,1082],{},[209,1077,1078],{},"40022",[209,1080,1081],{},"SQL Injection — PostgreSQL (Time Based)",[209,1083,221],{},[194,1085,1086,1089,1092],{},[209,1087,1088],{},"40027",[209,1090,1091],{},"SQL Injection — MsSQL (Time Based)",[209,1093,221],{},[194,1095,1096,1099,1102],{},[209,1097,1098],{},"90021",[209,1100,1101],{},"XPath Injection",[209,1103,221],{},[194,1105,1106,1109,1112],{},[209,1107,1108],{},"90029",[209,1110,1111],{},"SOAP XML Injection",[209,1113,221],{},[194,1115,1116,1119,1122],{},[209,1117,1118],{},"90017",[209,1120,1121],{},"XSLT Injection",[209,1123,221],{},[253,1125,1127],{"id":1126},"cross-site-scripting-xss","Cross-Site Scripting (XSS)",[188,1129,1130,1140],{},[191,1131,1132],{},[194,1133,1134,1136,1138],{},[197,1135,265],{},[197,1137,268],{},[197,1139,271],{},[204,1141,1142,1152,1162,1172,1182],{},[194,1143,1144,1147,1150],{},[209,1145,1146],{},"40012",[209,1148,1149],{},"Cross Site Scripting (Reflected)",[209,1151,221],{},[194,1153,1154,1157,1160],{},[209,1155,1156],{},"40014",[209,1158,1159],{},"Cross Site Scripting (Persistent)",[209,1161,221],{},[194,1163,1164,1167,1170],{},[209,1165,1166],{},"40016",[209,1168,1169],{},"Cross Site Scripting (Persistent) — Prime",[209,1171,221],{},[194,1173,1174,1177,1180],{},[209,1175,1176],{},"40017",[209,1178,1179],{},"Cross Site Scripting (Persistent) — Spider",[209,1181,221],{},[194,1183,1184,1187,1190],{},[209,1185,1186],{},"40026",[209,1188,1189],{},"Cross Site Scripting (DOM Based)",[209,1191,221],{},[253,1193,1195],{"id":1194},"remote-code-execution","Remote Code Execution",[188,1197,1198,1208],{},[191,1199,1200],{},[194,1201,1202,1204,1206],{},[197,1203,265],{},[197,1205,268],{},[197,1207,271],{},[204,1209,1210,1220,1230,1240,1250],{},[194,1211,1212,1215,1218],{},[209,1213,1214],{},"20018",[209,1216,1217],{},"Remote Code Execution — CVE-2012-1823",[209,1219,221],{},[194,1221,1222,1225,1228],{},[209,1223,1224],{},"40048",[209,1226,1227],{},"Remote Code Execution (React2Shell)",[209,1229,221],{},[194,1231,1232,1235,1238],{},[209,1233,1234],{},"90019",[209,1236,1237],{},"Server Side Code Injection",[209,1239,221],{},[194,1241,1242,1245,1248],{},[209,1243,1244],{},"90020",[209,1246,1247],{},"Remote OS Command Injection",[209,1249,221],{},[194,1251,1252,1255,1258],{},[209,1253,1254],{},"90037",[209,1256,1257],{},"Remote OS Command Injection (Time Based)",[209,1259,221],{},[253,1261,1263],{"id":1262},"server-side-attacks","Server-Side Attacks",[188,1265,1266,1276],{},[191,1267,1268],{},[194,1269,1270,1272,1274],{},[197,1271,265],{},[197,1273,268],{},[197,1275,271],{},[204,1277,1278,1288,1298,1308,1318,1328],{},[194,1279,1280,1283,1286],{},[209,1281,1282],{},"90023",[209,1284,1285],{},"XML External Entity Attack",[209,1287,221],{},[194,1289,1290,1293,1296],{},[209,1291,1292],{},"40009",[209,1294,1295],{},"Server Side Include",[209,1297,221],{},[194,1299,1300,1303,1306],{},[209,1301,1302],{},"90035",[209,1304,1305],{},"Server Side Template Injection",[209,1307,221],{},[194,1309,1310,1313,1316],{},[209,1311,1312],{},"90036",[209,1314,1315],{},"Server Side Template Injection (Blind)",[209,1317,221],{},[194,1319,1320,1323,1326],{},[209,1321,1322],{},"90026",[209,1324,1325],{},"SOAP Action Spoofing",[209,1327,221],{},[194,1329,1330,1333,1336],{},[209,1331,1332],{},"40044",[209,1334,1335],{},"Exponential Entity Expansion (Billion Laughs)",[209,1337,221],{},[253,1339,1341],{"id":1340},"path-file-attacks","Path & File Attacks",[188,1343,1344,1354],{},[191,1345,1346],{},[194,1347,1348,1350,1352],{},[197,1349,265],{},[197,1351,268],{},[197,1353,271],{},[204,1355,1356,1366,1376,1386,1396],{},[194,1357,1358,1361,1364],{},[209,1359,1360],{},"6",[209,1362,1363],{},"Path Traversal",[209,1365,221],{},[194,1367,1368,1371,1374],{},[209,1369,1370],{},"7",[209,1372,1373],{},"Remote File Inclusion",[209,1375,221],{},[194,1377,1378,1381,1384],{},[209,1379,1380],{},"40032",[209,1382,1383],{},".htaccess Information Leak",[209,1385,221],{},[194,1387,1388,1391,1394],{},[209,1389,1390],{},"40034",[209,1392,1393],{},".env Information Leak",[209,1395,221],{},[194,1397,1398,1401,1404],{},[209,1399,1400],{},"40035",[209,1402,1403],{},"Hidden File Finder",[209,1405,221],{},[253,1407,751],{"id":1408},"authentication-session-1",[188,1410,1411,1421],{},[191,1412,1413],{},[194,1414,1415,1417,1419],{},[197,1416,265],{},[197,1418,268],{},[197,1420,271],{},[204,1422,1423,1433,1443],{},[194,1424,1425,1428,1431],{},[209,1426,1427],{},"3",[209,1429,1430],{},"Session ID in URL Rewrite",[209,1432,221],{},[194,1434,1435,1438,1441],{},[209,1436,1437],{},"20019",[209,1439,1440],{},"External Redirect",[209,1442,221],{},[194,1444,1445,1448,1451],{},[209,1446,1447],{},"90033",[209,1449,1450],{},"Loosely Scoped Cookie",[209,1452,221],{},[253,1454,1456],{"id":1455},"known-cves","Known CVEs",[188,1458,1459,1469],{},[191,1460,1461],{},[194,1462,1463,1465,1467],{},[197,1464,265],{},[197,1466,268],{},[197,1468,271],{},[204,1470,1471,1481,1491,1501],{},[194,1472,1473,1476,1479],{},[209,1474,1475],{},"40043",[209,1477,1478],{},"Log4Shell",[209,1480,221],{},[194,1482,1483,1486,1489],{},[209,1484,1485],{},"40045",[209,1487,1488],{},"Spring4Shell",[209,1490,221],{},[194,1492,1493,1496,1499],{},[209,1494,1495],{},"90001",[209,1497,1498],{},"Insecure JSF ViewState",[209,1500,221],{},[194,1502,1503,1506,1509],{},[209,1504,1505],{},"90002",[209,1507,1508],{},"Java Serialization Object",[209,1510,221],{},[253,1512,1514],{"id":1513},"infrastructure","Infrastructure",[188,1516,1517,1527],{},[191,1518,1519],{},[194,1520,1521,1523,1525],{},[197,1522,265],{},[197,1524,268],{},[197,1526,271],{},[204,1528,1529,1539,1549,1559,1569,1579,1589,1599,1609,1619,1629,1639,1649,1659,1669,1679],{},[194,1530,1531,1534,1537],{},[209,1532,1533],{},"30001",[209,1535,1536],{},"Buffer Overflow",[209,1538,221],{},[194,1540,1541,1544,1547],{},[209,1542,1543],{},"30002",[209,1545,1546],{},"Format String Error",[209,1548,221],{},[194,1550,1551,1554,1557],{},[209,1552,1553],{},"40003",[209,1555,1556],{},"CRLF Injection",[209,1558,221],{},[194,1560,1561,1564,1567],{},[209,1562,1563],{},"40008",[209,1565,1566],{},"Parameter Tampering",[209,1568,221],{},[194,1570,1571,1574,1577],{},[209,1572,1573],{},"40028",[209,1575,1576],{},"ELMAH Information Leak",[209,1578,221],{},[194,1580,1581,1584,1587],{},[209,1582,1583],{},"40029",[209,1585,1586],{},"Trace.axd Information Leak",[209,1588,221],{},[194,1590,1591,1594,1597],{},[209,1592,1593],{},"40042",[209,1595,1596],{},"Spring Actuator Information Leak",[209,1598,221],{},[194,1600,1601,1604,1607],{},[209,1602,1603],{},"90004",[209,1605,1606],{},"Insufficient Site Isolation Against Spectre",[209,1608,221],{},[194,1610,1611,1614,1617],{},[209,1612,1613],{},"90011",[209,1615,1616],{},"Charset Mismatch",[209,1618,221],{},[194,1620,1621,1624,1627],{},[209,1622,1623],{},"90022",[209,1625,1626],{},"Application Error Disclosure",[209,1628,221],{},[194,1630,1631,1634,1637],{},[209,1632,1633],{},"90024",[209,1635,1636],{},"Generic Padding Oracle",[209,1638,221],{},[194,1640,1641,1644,1647],{},[209,1642,1643],{},"90030",[209,1645,1646],{},"WSDL File Detection",[209,1648,221],{},[194,1650,1651,1654,1657],{},[209,1652,1653],{},"90034",[209,1655,1656],{},"Cloud Metadata Potentially Exposed",[209,1658,221],{},[194,1660,1661,1664,1667],{},[209,1662,1663],{},"90003",[209,1665,1666],{},"Sub Resource Integrity Attribute Missing",[209,1668,221],{},[194,1670,1671,1674,1677],{},[209,1672,1673],{},"50000",[209,1675,1676],{},"Script Active Scan Rules",[209,1678,221],{},[194,1680,1681,1684,1687],{},[209,1682,1683],{},"50001",[209,1685,1686],{},"Script Passive Scan Rules",[209,1688,221],{},[183,1690,1692],{"id":1691},"warnings","Warnings",[188,1694,1695,1708],{},[191,1696,1697],{},[194,1698,1699,1701,1703,1705],{},[197,1700,265],{},[197,1702,268],{},[197,1704,271],{},[197,1706,1707],{},"Details",[204,1709,1710],{},[194,1711,1712,1715,1718,1720],{},[209,1713,1714],{},"100001",[209,1716,1717],{},"Unexpected Content-Type",[209,1719,231],{},[209,1721,1722,1723,1726],{},"13 instances — SPA fallback returns ",[169,1724,1725],{},"text\u002Fhtml"," for unknown paths (random URL fuzzing by ZAP). This is expected behavior: Vue Router handles client-side routing, so the server returns the SPA shell for any unrecognized path. Not a security issue.",[183,1728,1730],{"id":1729},"informational-alerts-no-action-required","Informational Alerts (No Action Required)",[188,1732,1733,1749],{},[191,1734,1735],{},[194,1736,1737,1740,1743,1746],{},[197,1738,1739],{},"Alert",[197,1741,1742],{},"Risk Level",[197,1744,1745],{},"Instances",[197,1747,1748],{},"Notes",[204,1750,1751,1765],{},[194,1752,1753,1756,1759,1762],{},[209,1754,1755],{},"Client Error response code (401, 404)",[209,1757,1758],{},"Informational",[209,1760,1761],{},"Expected",[209,1763,1764],{},"Unauthenticated API requests correctly return 401 Unauthorized",[194,1766,1767,1770,1772,1774],{},[209,1768,1769],{},"Non-Storable Content",[209,1771,1758],{},[209,1773,1761],{},[209,1775,1776],{},"401 responses are correctly non-cacheable",[183,1778,1780],{"id":1779},"comparison-with-previous-scan-2026-03-24","Comparison with Previous Scan (2026-03-24)",[188,1782,1783,1799],{},[191,1784,1785],{},[194,1786,1787,1790,1793,1796],{},[197,1788,1789],{},"Metric",[197,1791,1792],{},"2026-03-24",[197,1794,1795],{},"2026-04-06",[197,1797,1798],{},"Change",[204,1800,1801,1813,1823,1833,1843],{},[194,1802,1803,1806,1808,1810],{},[209,1804,1805],{},"Rules tested",[209,1807,214],{},[209,1809,214],{},[209,1811,1812],{},"No change",[194,1814,1815,1817,1819,1821],{},[209,1816,221],{},[209,1818,224],{},[209,1820,224],{},[209,1822,1812],{},[194,1824,1825,1827,1829,1831],{},[209,1826,231],{},[209,1828,234],{},[209,1830,234],{},[209,1832,1812],{},[194,1834,1835,1837,1839,1841],{},[209,1836,241],{},[209,1838,244],{},[209,1840,244],{},[209,1842,1812],{},[194,1844,1845,1848,1851,1854],{},[209,1846,1847],{},"Content-Type WARN instances",[209,1849,1850],{},"14",[209,1852,1853],{},"13",[209,1855,1856],{},"-1 (minor fluctuation from random URL generation)",[149,1858,1859],{},"No new vulnerabilities, regressions, or security findings since the previous baseline. This scan serves as the pre-release DAST baseline for v3.1.0.",[183,1861,1863],{"id":1862},"how-to-reproduce","How to Reproduce",[1865,1866,1871],"pre",{"className":1867,"code":1868,"language":1869,"meta":1870,"style":1870},"language-bash shiki shiki-themes material-theme-lighter material-theme material-theme-palenight","# Start Capacitarr\ndocker compose up -d --build\n\n# Run ZAP API scan\nmake security:zap\n\n# Reports generated:\n#   zap-report.html  — full HTML report\n#   zap-report.md    — markdown summary\n","bash","",[169,1872,1873,1881,1900,1906,1911,1919,1923,1929,1935],{"__ignoreMap":1870},[1874,1875,1877],"span",{"class":1876,"line":17},"line",[1874,1878,1880],{"class":1879},"sHwdD","# Start Capacitarr\n",[1874,1882,1883,1887,1891,1894,1897],{"class":1876,"line":22},[1874,1884,1886],{"class":1885},"sBMFI","docker",[1874,1888,1890],{"class":1889},"sfazB"," compose",[1874,1892,1893],{"class":1889}," up",[1874,1895,1896],{"class":1889}," -d",[1874,1898,1899],{"class":1889}," --build\n",[1874,1901,1902],{"class":1876,"line":27},[1874,1903,1905],{"emptyLinePlaceholder":1904},true,"\n",[1874,1907,1908],{"class":1876,"line":53},[1874,1909,1910],{"class":1879},"# Run ZAP API scan\n",[1874,1912,1913,1916],{"class":1876,"line":116},[1874,1914,1915],{"class":1885},"make",[1874,1917,1918],{"class":1889}," security:zap\n",[1874,1920,1921],{"class":1876,"line":66},[1874,1922,1905],{"emptyLinePlaceholder":1904},[1874,1924,1926],{"class":1876,"line":1925},7,[1874,1927,1928],{"class":1879},"# Reports generated:\n",[1874,1930,1932],{"class":1876,"line":1931},8,[1874,1933,1934],{"class":1879},"#   zap-report.html  — full HTML report\n",[1874,1936,1938],{"class":1876,"line":1937},9,[1874,1939,1940],{"class":1879},"#   zap-report.md    — markdown summary\n",[1942,1943,1944],"style",{},"html pre.shiki code .sHwdD, html code.shiki .sHwdD{--shiki-light:#90A4AE;--shiki-light-font-style:italic;--shiki-default:#546E7A;--shiki-default-font-style:italic;--shiki-dark:#676E95;--shiki-dark-font-style:italic}html pre.shiki code .sBMFI, html code.shiki .sBMFI{--shiki-light:#E2931D;--shiki-default:#FFCB6B;--shiki-dark:#FFCB6B}html pre.shiki code .sfazB, html code.shiki .sfazB{--shiki-light:#91B859;--shiki-default:#C3E88D;--shiki-dark:#C3E88D}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}",{"title":1870,"searchDepth":17,"depth":22,"links":1946},[1947,1948,1956,1966,1967,1968,1969],{"id":185,"depth":22,"text":186},{"id":250,"depth":22,"text":251,"children":1949},[1950,1951,1952,1953,1954,1955],{"id":255,"depth":27,"text":256},{"id":446,"depth":27,"text":447},{"id":584,"depth":27,"text":585},{"id":682,"depth":27,"text":683},{"id":750,"depth":27,"text":751},{"id":818,"depth":27,"text":819},{"id":1014,"depth":22,"text":1015,"children":1957},[1958,1959,1960,1961,1962,1963,1964,1965],{"id":1018,"depth":27,"text":1019},{"id":1126,"depth":27,"text":1127},{"id":1194,"depth":27,"text":1195},{"id":1262,"depth":27,"text":1263},{"id":1340,"depth":27,"text":1341},{"id":1408,"depth":27,"text":751},{"id":1455,"depth":27,"text":1456},{"id":1513,"depth":27,"text":1514},{"id":1691,"depth":22,"text":1692},{"id":1729,"depth":22,"text":1730},{"id":1779,"depth":22,"text":1780},{"id":1862,"depth":22,"text":1863},"Date: 2026-04-06\nTool: OWASP ZAP (ghcr.io\u002Fzaproxy\u002Fzaproxy:stable)\nScan type: API Scan with OpenAPI specification\nTarget: http:\u002F\u002Flocalhost:2187\u002Fapi\u002Fv1\u002FOpenAPI spec: docs\u002Freference\u002Fapi\u002Fopenapi.yamlContext: Pre-release security scan for v3.1.0","md",null,{},{"title":128,"description":1970},"5AiZEz5WyuIPrm7shzWPYeGmVSdOely_Xxwsofiu7dk",[1977,1972],{"title":128,"path":138,"stem":139,"description":1978,"order":116,"children":-1},"Date: 2026-03-24\nTool: OWASP ZAP (ghcr.io\u002Fzaproxy\u002Fzaproxy:stable)\nScan type: API Scan with OpenAPI specification\nTarget: http:\u002F\u002Flocalhost:2187\u002Fapi\u002Fv1\u002FOpenAPI spec: docs\u002Fapi\u002Fopenapi.yamlContext: Pre-release security scan for v2.0.0",1776649616372]