ZAP Scanning Report

Site: https://api-dev-v2.synapp.eu

Generated on Mon, 22 Jun 2026 10:48:32

ZAP Version: 2.17.0

ZAP by Checkmarx

Summary of Alerts

Risk Level Number of Alerts
High
0
Medium
3
Low
3
Informational
4
False Positives:
0

Summary of Sequences

For each step: result (Pass/Fail) - risk (of highest alert(s) for the step, if any).

Alerts

Name Risk Level Number of Instances
CSP: Failure to Define Directive with No Fallback Medium 2
CSP: script-src unsafe-inline Medium 1
CSP: style-src unsafe-inline Medium 1
CSP: Notices Low 1
Cross-Origin-Embedder-Policy Header Missing or Invalid Low 1
Timestamp Disclosure - Unix Low Systemic
Modern Web Application Informational 1
Re-examine Cache-control Directives Informational 1
Storable and Cacheable Content Informational Systemic
Storable but Non-Cacheable Content Informational 4

Alert Detail

Medium
CSP: Failure to Define Directive with No Fallback
Description
The Content Security Policy fails to define one of the directives that has no fallback. Missing/excluding them is the same as allowing anything.
URL https://api-dev-v2.synapp.eu/api-docs
Node Name https://api-dev-v2.synapp.eu/api-docs
Method GET
Parameter Content-Security-Policy
Attack
Evidence default-src 'none'
Other Info
The directive(s): frame-ancestors, form-action is/are among the directives that do not fallback to default-src.
URL https://api-dev-v2.synapp.eu/api-docs/
Node Name https://api-dev-v2.synapp.eu/api-docs/
Method GET
Parameter Content-Security-Policy
Attack
Evidence default-src 'self';script-src 'self' 'unsafe-inline';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;connect-src 'self';font-src 'self' data:;worker-src 'blob:';frame-src 'none';object-src 'none';base-uri 'self';form-action 'self'
Other Info
The directive(s): frame-ancestors is/are among the directives that do not fallback to default-src.
Instances 2
Solution
Ensure that your web server, application server, load balancer, etc. is properly configured to set the Content-Security-Policy header.
Reference https://www.w3.org/TR/CSP/
https://caniuse.com/#search=content+security+policy
https://content-security-policy.com/
https://github.com/HtmlUnit/htmlunit-csp
https://web.dev/articles/csp#resource-options
CWE Id 693
WASC Id 15
Plugin Id 10055
Medium
CSP: script-src unsafe-inline
Description
Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks. Including (but not limited to) Cross Site Scripting (XSS), and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.
URL https://api-dev-v2.synapp.eu/api-docs/
Node Name https://api-dev-v2.synapp.eu/api-docs/
Method GET
Parameter Content-Security-Policy
Attack
Evidence default-src 'self';script-src 'self' 'unsafe-inline';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;connect-src 'self';font-src 'self' data:;worker-src 'blob:';frame-src 'none';object-src 'none';base-uri 'self';form-action 'self'
Other Info
script-src includes unsafe-inline.
Instances 1
Solution
Ensure that your web server, application server, load balancer, etc. is properly configured to set the Content-Security-Policy header.
Reference https://www.w3.org/TR/CSP/
https://caniuse.com/#search=content+security+policy
https://content-security-policy.com/
https://github.com/HtmlUnit/htmlunit-csp
https://web.dev/articles/csp#resource-options
CWE Id 693
WASC Id 15
Plugin Id 10055
Medium
CSP: style-src unsafe-inline
Description
Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks. Including (but not limited to) Cross Site Scripting (XSS), and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.
URL https://api-dev-v2.synapp.eu/api-docs/
Node Name https://api-dev-v2.synapp.eu/api-docs/
Method GET
Parameter Content-Security-Policy
Attack
Evidence default-src 'self';script-src 'self' 'unsafe-inline';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;connect-src 'self';font-src 'self' data:;worker-src 'blob:';frame-src 'none';object-src 'none';base-uri 'self';form-action 'self'
Other Info
style-src includes unsafe-inline.
Instances 1
Solution
Ensure that your web server, application server, load balancer, etc. is properly configured to set the Content-Security-Policy header.
Reference https://www.w3.org/TR/CSP/
https://caniuse.com/#search=content+security+policy
https://content-security-policy.com/
https://github.com/HtmlUnit/htmlunit-csp
https://web.dev/articles/csp#resource-options
CWE Id 693
WASC Id 15
Plugin Id 10055
Low
CSP: Notices
Description
Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks. Including (but not limited to) Cross Site Scripting (XSS), and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.
URL https://api-dev-v2.synapp.eu/api-docs/
Node Name https://api-dev-v2.synapp.eu/api-docs/
Method GET
Parameter Content-Security-Policy
Attack
Evidence default-src 'self';script-src 'self' 'unsafe-inline';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;connect-src 'self';font-src 'self' data:;worker-src 'blob:';frame-src 'none';object-src 'none';base-uri 'self';form-action 'self'
Other Info
Errors:

Unrecognized source-expression 'blob:'
Instances 1
Solution
Ensure that your web server, application server, load balancer, etc. is properly configured to set the Content-Security-Policy header.
Reference https://www.w3.org/TR/CSP/
https://caniuse.com/#search=content+security+policy
https://content-security-policy.com/
https://github.com/HtmlUnit/htmlunit-csp
https://web.dev/articles/csp#resource-options
CWE Id 693
WASC Id 15
Plugin Id 10055
Low
Cross-Origin-Embedder-Policy Header Missing or Invalid
Description
Cross-Origin-Embedder-Policy header is a response header that prevents a document from loading any cross-origin resources that don't explicitly grant the document permission (using CORP or CORS).
URL https://api-dev-v2.synapp.eu/api-docs/
Node Name https://api-dev-v2.synapp.eu/api-docs/
Method GET
Parameter Cross-Origin-Embedder-Policy
Attack
Evidence
Other Info
Instances 1
Solution
Ensure that the application/web server sets the Cross-Origin-Embedder-Policy header appropriately, and that it sets the Cross-Origin-Embedder-Policy header to 'require-corp' for documents.

If possible, ensure that the end user uses a standards-compliant and modern web browser that supports the Cross-Origin-Embedder-Policy header (https://caniuse.com/mdn-http_headers_cross-origin-embedder-policy).
Reference https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Cross-Origin-Embedder-Policy
CWE Id 693
WASC Id 14
Plugin Id 90004
Low
Timestamp Disclosure - Unix
Description
A timestamp was disclosed by the application/web server. - Unix
URL https://api-dev-v2.synapp.eu/api-docs/swagger-ui-standalone-preset.js
Node Name https://api-dev-v2.synapp.eu/api-docs/swagger-ui-standalone-preset.js
Method GET
Parameter
Attack
Evidence 1518500249
Other Info
1518500249, which evaluates to: 2018-02-13 05:37:29.
URL https://api-dev-v2.synapp.eu/api-docs/swagger-ui-standalone-preset.js
Node Name https://api-dev-v2.synapp.eu/api-docs/swagger-ui-standalone-preset.js
Method GET
Parameter
Attack
Evidence 1732584193
Other Info
1732584193, which evaluates to: 2024-11-26 01:23:13.
URL https://api-dev-v2.synapp.eu/api-docs/swagger-ui-standalone-preset.js
Node Name https://api-dev-v2.synapp.eu/api-docs/swagger-ui-standalone-preset.js
Method GET
Parameter
Attack
Evidence 1750603025
Other Info
1750603025, which evaluates to: 2025-06-22 14:37:05.
URL https://api-dev-v2.synapp.eu/api-docs/swagger-ui-standalone-preset.js
Node Name https://api-dev-v2.synapp.eu/api-docs/swagger-ui-standalone-preset.js
Method GET
Parameter
Attack
Evidence 1859775393
Other Info
1859775393, which evaluates to: 2028-12-07 04:16:33.
URL https://api-dev-v2.synapp.eu/api-docs/swagger-ui-standalone-preset.js
Node Name https://api-dev-v2.synapp.eu/api-docs/swagger-ui-standalone-preset.js
Method GET
Parameter
Attack
Evidence 1894007588
Other Info
1894007588, which evaluates to: 2030-01-07 09:13:08.
Instances Systemic
Solution
Manually confirm that the timestamp data is not sensitive, and that the data cannot be aggregated to disclose exploitable patterns.
Reference https://cwe.mitre.org/data/definitions/200.html
CWE Id 497
WASC Id 13
Plugin Id 10096
Informational
Modern Web Application
Description
The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one.
URL https://api-dev-v2.synapp.eu/api-docs/
Node Name https://api-dev-v2.synapp.eu/api-docs/
Method GET
Parameter
Attack
Evidence <script src="./swagger-ui-bundle.js"> </script>
Other Info
No links have been found while there are scripts, which is an indication that this is a modern web application.
Instances 1
Solution
This is an informational alert and so no changes are required.
Reference
CWE Id
WASC Id
Plugin Id 10109
Informational
Re-examine Cache-control Directives
Description
The cache-control header has not been set properly or is missing, allowing the browser and proxies to cache content. For static assets like css, js, or image files this might be intended, however, the resources should be reviewed to ensure that no sensitive content will be cached.
URL https://api-dev-v2.synapp.eu/api-docs/
Node Name https://api-dev-v2.synapp.eu/api-docs/
Method GET
Parameter cache-control
Attack
Evidence
Other Info
Instances 1
Solution
For secure content, ensure the cache-control HTTP header is set with "no-cache, no-store, must-revalidate". If an asset should be cached consider setting the directives "public, max-age, immutable".
Reference https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#web-content-caching
https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Cache-Control
https://grayduck.mn/2021/09/13/cache-control-recommendations/
CWE Id 525
WASC Id 13
Plugin Id 10015
Informational
Storable and Cacheable Content
Description
The response contents are storable by caching components such as proxy servers, and may be retrieved directly from the cache, rather than from the origin server by the caching servers, in response to similar requests from other users. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where "shared" caching servers such as "proxy" caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance.
URL https://api-dev-v2.synapp.eu/
Node Name https://api-dev-v2.synapp.eu/
Method GET
Parameter
Attack
Evidence
Other Info
In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234.
URL https://api-dev-v2.synapp.eu/api-docs
Node Name https://api-dev-v2.synapp.eu/api-docs
Method GET
Parameter
Attack
Evidence
Other Info
In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234.
URL https://api-dev-v2.synapp.eu/api-docs/
Node Name https://api-dev-v2.synapp.eu/api-docs/
Method GET
Parameter
Attack
Evidence
Other Info
In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234.
URL https://api-dev-v2.synapp.eu/robots.txt
Node Name https://api-dev-v2.synapp.eu/robots.txt
Method GET
Parameter
Attack
Evidence
Other Info
In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234.
URL https://api-dev-v2.synapp.eu/sitemap.xml
Node Name https://api-dev-v2.synapp.eu/sitemap.xml
Method GET
Parameter
Attack
Evidence
Other Info
In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234.
Instances Systemic
Solution
Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user:

Cache-Control: no-cache, no-store, must-revalidate, private

Pragma: no-cache

Expires: 0

This configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request.
Reference https://datatracker.ietf.org/doc/html/rfc7234
https://datatracker.ietf.org/doc/html/rfc7231
https://www.w3.org/Protocols/rfc2616/rfc2616-sec13.html
CWE Id 524
WASC Id 13
Plugin Id 10049
Informational
Storable but Non-Cacheable Content
Description
The response contents are storable by caching components such as proxy servers, but will not be retrieved directly from the cache, without validating the request upstream, in response to similar requests from other users.
URL https://api-dev-v2.synapp.eu/api-docs/favicon-16x16.png
Node Name https://api-dev-v2.synapp.eu/api-docs/favicon-16x16.png
Method GET
Parameter
Attack
Evidence max-age=0
Other Info
URL https://api-dev-v2.synapp.eu/api-docs/favicon-32x32.png
Node Name https://api-dev-v2.synapp.eu/api-docs/favicon-32x32.png
Method GET
Parameter
Attack
Evidence max-age=0
Other Info
URL https://api-dev-v2.synapp.eu/api-docs/swagger-ui-standalone-preset.js
Node Name https://api-dev-v2.synapp.eu/api-docs/swagger-ui-standalone-preset.js
Method GET
Parameter
Attack
Evidence max-age=0
Other Info
URL https://api-dev-v2.synapp.eu/api-docs/swagger-ui.css
Node Name https://api-dev-v2.synapp.eu/api-docs/swagger-ui.css
Method GET
Parameter
Attack
Evidence max-age=0
Other Info
Instances 4
Solution
Reference https://datatracker.ietf.org/doc/html/rfc7234
https://datatracker.ietf.org/doc/html/rfc7231
https://www.w3.org/Protocols/rfc2616/rfc2616-sec13.html
CWE Id 524
WASC Id 13
Plugin Id 10049

Sequence Details

With the associated active scan results.