| 1004.1 |
Sensitive cookie without HttpOnly attribute |
Low |
Passive |
| 16.1 |
Missing Content-Type header |
Low |
Passive |
| 16.10 |
Content-Security-Policy violations |
Info |
Passive |
| 16.2 |
Server header exposes version information |
Low |
Passive |
| 16.3 |
X-Powered-By header exposes version information |
Low |
Passive |
| 16.4 |
X-Backend-Server header exposes server information |
Info |
Passive |
| 16.5 |
AspNet header exposes version information |
Low |
Passive |
| 16.6 |
AspNetMvc header exposes version information |
Low |
Passive |
| 16.7 |
Strict-Transport-Security header missing or invalid |
Low |
Passive |
| 16.8 |
Content-Security-Policy analysis |
Info |
Passive |
| 16.9 |
Content-Security-Policy-Report-Only analysis |
Info |
Passive |
| 200.1 |
Exposure of sensitive information to an unauthorized actor (private IP address) |
Low |
Passive |
| 209.1 |
Generation of error message containing sensitive information |
Low |
Passive |
| 209.2 |
Generation of database error message containing sensitive information |
Low |
Passive |
| 287.1 |
Insecure authentication over HTTP (Basic Authentication) |
Medium |
Passive |
| 287.2 |
Insecure authentication over HTTP (Digest Authentication) |
Low |
Passive |
| 319.1 |
Mixed Content |
Info |
Passive |
| 352.1 |
Absence of anti-CSRF tokens |
Medium |
Passive |
| 359.1 |
Exposure of Private Personal Information (PII) to an unauthorized actor (credit card) |
Medium |
Passive |
| 359.2 |
Exposure of Private Personal Information (PII) to an unauthorized actor (United States social security number) |
Medium |
Passive |
| 548.1 |
Exposure of information through directory listing |
Low |
Passive |
| 598.1 |
Use of GET request method with sensitive query strings (session ID) |
Medium |
Passive |
| 598.2 |
Use of GET request method with sensitive query strings (password) |
Medium |
Passive |
| 598.3 |
Use of GET request method with sensitive query strings (Authorization header details) |
Medium |
Passive |
| 601.1 |
URL redirection to untrusted site (‘open redirect’) |
Low |
Passive |
| 614.1 |
Sensitive cookie without Secure attribute |
Low |
Passive |
| 693.1 |
Missing X-Content-Type-Options: nosniff |
Low |
Passive |
| 798.2 |
Exposure of confidential secret or token Adobe Client ID (OAuth Web) |
High |
Passive |
| 798.3 |
Exposure of confidential secret or token Adobe client secret |
High |
Passive |
| 798.4 |
Exposure of confidential secret or token Age secret key |
High |
Passive |
| 798.7 |
Exposure of confidential secret or token Alibaba AccessKey ID |
High |
Passive |
| 798.8 |
Exposure of confidential secret or token Alibaba Secret Key |
High |
Passive |
| 798.9 |
Exposure of confidential secret or token Asana client ID |
High |
Passive |
| 798.10 |
Exposure of confidential secret or token Asana client secret |
High |
Passive |
| 798.11 |
Exposure of confidential secret or token Atlassian API token |
High |
Passive |
| 798.12 |
Exposure of confidential secret or token AWS access token |
High |
Passive |
| 798.13 |
Exposure of confidential secret or token Bitbucket client ID |
High |
Passive |
| 798.14 |
Exposure of confidential secret or token Bitbucket client secret |
High |
Passive |
| 798.17 |
Exposure of confidential secret or token Beamer API token |
High |
Passive |
| 798.20 |
Exposure of confidential secret or token Clojars deploy token |
High |
Passive |
| 798.23 |
Exposure of confidential secret or token Contentful delivery API token |
High |
Passive |
| 798.24 |
Exposure of confidential secret or token Databricks API token |
High |
Passive |
| 798.26 |
Exposure of confidential secret or token Discord API key |
High |
Passive |
| 798.27 |
Exposure of confidential secret or token Discord client ID |
High |
Passive |
| 798.28 |
Exposure of confidential secret or token Discord client secret |
High |
Passive |
| 798.29 |
Exposure of confidential secret or token Doppler API token |
High |
Passive |
| 798.30 |
Exposure of confidential secret or token Dropbox API secret/key |
High |
Passive |
| 798.31 |
Exposure of confidential secret or token Dropbox long lived API token |
High |
Passive |
| 798.32 |
Exposure of confidential secret or token Dropbox short lived API token |
High |
Passive |
| 798.34 |
Exposure of confidential secret or token Duffel API token |
High |
Passive |
| 798.35 |
Exposure of confidential secret or token Dynatrace API token |
High |
Passive |
| 798.36 |
Exposure of confidential secret or token EasyPost production API key |
High |
Passive |
| 798.37 |
Exposure of confidential secret or token EasyPost test API key |
High |
Passive |
| 798.39 |
Exposure of confidential secret or token Facebook token |
High |
Passive |
| 798.40 |
Exposure of confidential secret or token Fastly API user or automation token |
High |
Passive |
| 798.41 |
Exposure of confidential secret or token Finicity client secret |
High |
Passive |
| 798.42 |
Exposure of confidential secret or token Finicity API token |
High |
Passive |
| 798.46 |
Exposure of confidential secret or token Flutterwave test secret key |
High |
Passive |
| 798.47 |
Exposure of confidential secret or token Flutterwave test encrypted key |
High |
Passive |
| 798.48 |
Exposure of confidential secret or token Frame.io API token |
High |
Passive |
| 798.50 |
Exposure of confidential secret or token GoCardless API token |
High |
Passive |
| 798.52 |
Exposure of confidential secret or token GitHub personal access token (classic) |
High |
Passive |
| 798.53 |
Exposure of confidential secret or token GitHub OAuth Access Token |
High |
Passive |
| 798.54 |
Exposure of confidential secret or token GitHub app token |
High |
Passive |
| 798.55 |
Exposure of confidential secret or token GitHub refresh token |
High |
Passive |
| 798.56 |
Exposure of confidential secret or token GitLab personal access token |
High |
Passive |
| 798.58 |
Exposure of confidential secret or token HashiCorp Terraform API token |
High |
Passive |
| 798.59 |
Exposure of confidential secret or token Heroku API key or application authorization token |
High |
Passive |
| 798.60 |
Exposure of confidential secret or token HubSpot private app API token |
High |
Passive |
| 798.61 |
Exposure of confidential secret or token Intercom API token |
High |
Passive |
| 798.66 |
Exposure of confidential secret or token Linear API token |
High |
Passive |
| 798.67 |
Exposure of confidential secret or token Linear client secret or ID (OAuth 2.0) |
High |
Passive |
| 798.68 |
Exposure of confidential secret or token LinkedIn client ID |
High |
Passive |
| 798.69 |
Exposure of confidential secret or token LinkedIn client secret |
High |
Passive |
| 798.70 |
Exposure of confidential secret or token Lob API key |
High |
Passive |
| 798.72 |
Exposure of confidential secret or token Mailchimp API key |
High |
Passive |
| 798.74 |
Exposure of confidential secret or token Mailgun private API token |
High |
Passive |
| 798.75 |
Exposure of confidential secret or token Mailgun webhook signing key |
High |
Passive |
| 798.78 |
Exposure of confidential secret or token MessageBird access key |
High |
Passive |
| 798.81 |
Exposure of confidential secret or token New Relic user API key |
High |
Passive |
| 798.82 |
Exposure of confidential secret or token New Relic user API ID |
High |
Passive |
| 798.83 |
Exposure of confidential secret or token New Relic ingest browser API token |
High |
Passive |
| 798.84 |
Exposure of confidential secret or token npm access token |
High |
Passive |
| 798.90 |
Exposure of confidential secret or token PlanetScale password |
High |
Passive |
| 798.91 |
Exposure of confidential secret or token PlanetScale API token |
High |
Passive |
| 798.93 |
Exposure of confidential secret or token Postman API token |
High |
Passive |
| 798.94 |
Exposure of confidential secret or token SSH private key |
High |
Passive |
| 798.95 |
Exposure of confidential secret or token Pulumi API token |
High |
Passive |
| 798.96 |
Exposure of confidential secret or token PyPi upload token |
High |
Passive |
| 798.97 |
Exposure of confidential secret or token RubyGems API token |
High |
Passive |
| 798.101 |
Exposure of confidential secret or token SendGrid API token |
High |
Passive |
| 798.102 |
Exposure of confidential secret or token Brevo API token |
High |
Passive |
| 798.104 |
Exposure of confidential secret or token Shippo API token |
High |
Passive |
| 798.105 |
Exposure of confidential secret or token Shopify personal access token |
High |
Passive |
| 798.106 |
Exposure of confidential secret or token Shopify custom app access token |
High |
Passive |
| 798.107 |
Exposure of confidential secret or token Shopify private app access token |
High |
Passive |
| 798.108 |
Exposure of confidential secret or token Shopify shared secret |
High |
Passive |
| 798.109 |
Exposure of confidential secret or token Slack bot user OAuth token |
High |
Passive |
| 798.110 |
Exposure of confidential secret or token Slack webhook |
High |
Passive |
| 798.111 |
Exposure of confidential secret or token Stripe live secret key |
High |
Passive |
| 798.117 |
Exposure of confidential secret or token Twilio API key |
High |
Passive |
| 798.118 |
Exposure of confidential secret or token Twitch OAuth client secret |
High |
Passive |
| 798.121 |
Exposure of confidential secret or token X token |
High |
Passive |
| 798.124 |
Exposure of confidential secret or token Typeform personal access token |
High |
Passive |
| 798.130 |
Exposure of confidential secret or token Anthropic API key |
High |
Passive |
| 798.131 |
Exposure of confidential secret or token CircleCI access token |
High |
Passive |
| 798.132 |
Exposure of confidential secret or token CircleCI Personal Access Token |
High |
Passive |
| 798.133 |
Exposure of confidential secret or token Contentful preview API token |
High |
Passive |
| 798.134 |
Exposure of confidential secret or token Contentful personal access token |
High |
Passive |
| 798.135 |
Exposure of confidential secret or token DigitalOcean OAuth access token |
High |
Passive |
| 798.136 |
Exposure of confidential secret or token DigitalOcean personal access token |
High |
Passive |
| 798.137 |
Exposure of confidential secret or token DigitalOcean refresh token |
High |
Passive |
| 798.138 |
Exposure of confidential secret or token GCP OAuth client secret |
High |
Passive |
| 798.139 |
Exposure of confidential secret or token Google (GCP) service account |
High |
Passive |
| 798.140 |
Exposure of confidential secret or token GitLab Personal Access Token (routable) |
High |
Passive |
| 798.141 |
Exposure of confidential secret or token GitLab Personal Access Token (routable) |
High |
Passive |
| 798.142 |
Exposure of confidential secret or token GitLab Pipeline trigger token |
High |
Passive |
| 798.143 |
Exposure of confidential secret or token GitLab Runner registration token |
High |
Passive |
| 798.144 |
Exposure of confidential secret or token GitLab Runner authentication token |
High |
Passive |
| 798.145 |
Exposure of confidential secret or token GitLab Feed token |
High |
Passive |
| 798.146 |
Exposure of confidential secret or token GitLab OAuth application secret |
High |
Passive |
| 798.147 |
Exposure of confidential secret or token GitLab feed token v2 |
High |
Passive |
| 798.148 |
Exposure of confidential secret or token GitLab Kubernetes agent token |
High |
Passive |
| 798.149 |
Exposure of confidential secret or token GitLab incoming email token |
High |
Passive |
| 798.150 |
Exposure of confidential secret or token GitLab deploy token |
High |
Passive |
| 798.151 |
Exposure of confidential secret or token GitLab SCIM OAuth token |
High |
Passive |
| 798.152 |
Exposure of confidential secret or token GitLab CI build token |
High |
Passive |
| 798.153 |
Exposure of confidential secret or token Grafana API token |
High |
Passive |
| 798.154 |
Exposure of confidential secret or token HashiCorp Vault batch token |
High |
Passive |
| 798.155 |
Exposure of confidential secret or token Instagram access token |
High |
Passive |
| 798.156 |
Exposure of confidential secret or token Intercom client secret or client ID |
High |
Passive |
| 798.157 |
Exposure of confidential secret or token Ionic personal access token |
High |
Passive |
| 798.158 |
Exposure of confidential secret or token Artifactory API Key |
High |
Passive |
| 798.159 |
Exposure of confidential secret or token Artifactory Identity Token |
High |
Passive |
| 798.160 |
Exposure of confidential secret or token MaxMind License Key |
High |
Passive |
| 798.161 |
Exposure of confidential secret or token Meta access token |
High |
Passive |
| 798.162 |
Exposure of confidential secret or token Oculus access token |
High |
Passive |
| 798.163 |
Exposure of confidential secret or token Onfido Live API Token |
High |
Passive |
| 798.164 |
Exposure of confidential secret or token OpenAI API key |
High |
Passive |
| 798.165 |
Exposure of confidential secret or token Password in URL |
High |
Passive |
| 798.166 |
Exposure of confidential secret or token PGP private key |
High |
Passive |
| 798.167 |
Exposure of confidential secret or token PKCS8 private key |
High |
Passive |
| 798.168 |
Exposure of confidential secret or token RSA private key |
High |
Passive |
| 798.169 |
Exposure of confidential secret or token Segment public API token |
High |
Passive |
| 798.170 |
Exposure of confidential secret or token Brevo SMTP token |
High |
Passive |
| 798.171 |
Exposure of confidential secret or token Shippo Test API token |
High |
Passive |
| 798.172 |
Exposure of confidential secret or token Slack app level token |
High |
Passive |
| 798.173 |
Exposure of confidential secret or token SSH (DSA) private key |
High |
Passive |
| 798.174 |
Exposure of confidential secret or token SSH (EC) private key |
High |
Passive |
| 798.175 |
Exposure of confidential secret or token Stripe live restricted key |
High |
Passive |
| 798.176 |
Exposure of confidential secret or token Stripe publishable live key |
High |
Passive |
| 798.177 |
Exposure of confidential secret or token Stripe secret test key |
High |
Passive |
| 798.178 |
Exposure of confidential secret or token Stripe restricted test key |
High |
Passive |
| 798.179 |
Exposure of confidential secret or token Stripe publishable test key |
High |
Passive |
| 798.180 |
Exposure of confidential secret or token Tailscale key |
High |
Passive |
| 798.181 |
Exposure of confidential secret or token Yandex Cloud IAM cookie v1-1 |
High |
Passive |
| 798.182 |
Exposure of confidential secret or token Yandex Cloud IAM cookie v1-2 |
High |
Passive |
| 798.183 |
Exposure of confidential secret or token Yandex Cloud IAM cookie v1-3 |
High |
Passive |
| 798.184 |
Exposure of confidential secret or token Yandex Cloud AWS API compatible access secret |
High |
Passive |
| 829.1 |
Inclusion of Functionality from Untrusted Control Sphere |
Low |
Passive |
| 829.2 |
Invalid Sub-Resource Integrity values detected |
Medium |
Passive |