# Example ZAP API scan rule policy
# Treat active-scan rules selectively to keep API scans useful.
40012	FAIL	(Cross Site Scripting)
40014	FAIL	(CRLF Injection)
40018	FAIL	(SQL Injection)
40020	WARN	(XSS)
90020	WARN	(Remote OS Command Injection)
90021	WARN	(Expression Language Injection)
10054	WARN	(Cookie without SameSite Attribute)