# Example ZAP baseline rule policy
# FAIL on high-signal hygiene issues you actually care about.
# WARN on broader hygiene checks that should be trended.
# IGNORE only with a clear reason and a tracking reference.
10010	WARN	(Cookie No HttpOnly Flag)
10011	FAIL	(Cookie Without Secure Flag)
10015	WARN	(Incomplete or No Cache-control and Pragma HTTP Header Set)
10016	WARN	(Web Browser XSS Protection Not Enabled)
10020	FAIL	(X-Frame-Options Header Not Set)
10038	FAIL	(Content Security Policy Header Not Set)
10202	WARN	(Absence of Anti-CSRF Tokens)