AI COE report

Generated with ZAP on Mon 22 Dec 2025, at 07:19:01

ZAP Version: 2.16.1

ZAP by Checkmarx

Contents

About This Report

Report Parameters

Contexts

No contexts were selected, so all contexts were included by default.

Sites

The following sites were included:

  • https://shavar.services.mozilla.com

(If no sites were selected, all sites were included by default.)

An included site must also be within one of the included contexts for its data to be included in the report.

Risk levels

Included: High, Medium, Low, Informational

Excluded: None

Confidence levels

Included: User Confirmed, High, Medium, Low

Excluded: User Confirmed, High, Medium, Low, False Positive

Summaries

Alert Counts by Risk and Confidence

This table shows the number of alerts for each level of risk and confidence included in the report.

(The percentages in brackets represent the count as a percentage of the total number of alerts included in the report, rounded to one decimal place.)
Confidence
User Confirmed High Medium Low Total
Risk High 0
(0.0%)		 0
(0.0%)		 0
(0.0%)		 0
(0.0%)		 0
(0.0%)
Medium 0
(0.0%)		 0
(0.0%)		 0
(0.0%)		 0
(0.0%)		 0
(0.0%)
Low 0
(0.0%)		 1
(14.3%)		 2
(28.6%)		 1
(14.3%)		 4
(57.1%)
Informational 0
(0.0%)		 1
(14.3%)		 2
(28.6%)		 0
(0.0%)		 3
(42.9%)
Total 0
(0.0%)		 2
(28.6%)		 4
(57.1%)		 1
(14.3%)		 7
(100%)

Alert Counts by Site and Risk

This table shows, for each site for which one or more alerts were raised, the number of alerts raised at each risk level.

Alerts with a confidence level of "False Positive" have been excluded from these counts.

(The numbers in brackets are the number of alerts raised for the site at or above that risk level.)
Risk
High
(= High) 		Medium
(>= Medium) 		Low
(>= Low) 		Informational
(>= Informational)
Site https://shavar.services.mozilla.com 0
(0)		 0
(0)		 0
(0)		 1
(1)

Alert Counts by Alert Type

This table shows the number of alerts of each alert type, together with the alert type's risk level.

(The percentages in brackets represent each count as a percentage, rounded to one decimal place, of the total number of alerts included in this report.)
Alert type Risk Count
Insufficient Site Isolation Against Spectre Vulnerability Low 1
(14.3%)
Timestamp Disclosure - Unix Low 2
(28.6%)
X-Content-Type-Options Header Missing Low 1
(14.3%)
ZAP is Out of Date Low 1
(14.3%)
Sec-Fetch-User Header is Missing Informational 1
(14.3%)
Storable and Cacheable Content Informational 1
(14.3%)
Tech Detected - HSTS Informational 1
(14.3%)
Total 7

Alerts

  1. Risk=Low, Confidence=High (1)

  2. Risk=Low, Confidence=Medium (2)

  3. Risk=Low, Confidence=Low (1)

  4. Risk=Informational, Confidence=High (1)

  5. Risk=Informational, Confidence=Medium (2)

    1. https://shavar.services.mozilla.com (1)

      1. Tech Detected - HSTS (1)
        1. POST https://shavar.services.mozilla.com/downloads?client=navclient-auto-ffox&appver=128.10&pver=2.2
          Alert tags
          Alert description

          The following "Security" technology was identified: HSTS.

          Described as:

          HTTP Strict Transport Security (HSTS) informs browsers that the site should only be accessed using HTTPS.
          Request
          Request line and header section (472 bytes) 
          POST https://shavar.services.mozilla.com/downloads?client=navclient-auto-ffox&appver=128.10&pver=2.2 HTTP/1.1
host: shavar.services.mozilla.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Content-Type: text/plain
Content-Length: 426
Connection: close
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: none
Priority: u=4
Pragma: no-cache
Cache-Control: no-cache
          Request body (426 bytes) 
          ads-track-digest256;
social-track-digest256;
analytics-track-digest256;
content-track-digest256;
mozstd-trackwhite-digest256;
google-trackwhite-digest256;
base-fingerprinting-track-digest256;
base-cryptomining-track-digest256;
social-tracking-protection-facebook-digest256;
social-tracking-protection-linkedin-digest256;
social-tracking-protection-twitter-digest256;
base-email-track-digest256;
content-email-track-digest256;
          Response
          Status line and header section (201 bytes) 
          HTTP/1.1 200 OK
Content-Type: application/octet-stream
Date: Mon, 22 Dec 2025 01:30:29 GMT
Strict-Transport-Security: max-age=31536000; includeSubDomains
Content-Length: 1575
Connection: Close
          Response body (1575 bytes) 
          n:21600
i:ads-track-digest256
u:tracking-protection.cdn.mozilla.net/ads-track-digest256/128.0/1754651396
i:social-track-digest256
u:tracking-protection.cdn.mozilla.net/social-track-digest256/128.0/1754651396
i:analytics-track-digest256
u:tracking-protection.cdn.mozilla.net/analytics-track-digest256/128.0/1754651396
i:content-track-digest256
u:tracking-protection.cdn.mozilla.net/content-track-digest256/128.0/1754651396
i:mozstd-trackwhite-digest256
u:tracking-protection.cdn.mozilla.net/mozstd-trackwhite-digest256/128.0/1754651396
i:google-trackwhite-digest256
u:tracking-protection.cdn.mozilla.net/google-trackwhite-digest256/128.0/1754651396
i:base-fingerprinting-track-digest256
u:tracking-protection.cdn.mozilla.net/base-fingerprinting-track-digest256/128.0/1754651396
i:base-cryptomining-track-digest256
u:tracking-protection.cdn.mozilla.net/base-cryptomining-track-digest256/128.0/1754651396
i:social-tracking-protection-facebook-digest256
u:tracking-protection.cdn.mozilla.net/social-tracking-protection-facebook-digest256/128.0/1718977977
i:social-tracking-protection-linkedin-digest256
u:tracking-protection.cdn.mozilla.net/social-tracking-protection-linkedin-digest256/128.0/1718977977
i:social-tracking-protection-twitter-digest256
u:tracking-protection.cdn.mozilla.net/social-tracking-protection-twitter-digest256/128.0/1718977977
i:base-email-track-digest256
u:tracking-protection.cdn.mozilla.net/base-email-track-digest256/128.0/1754651396
i:content-email-track-digest256
u:tracking-protection.cdn.mozilla.net/content-email-track-digest256/128.0/1754651396
          Evidence 
          Strict-Transport-Security

Appendix

Alert Types

This section contains additional information on the types of alerts in the report.

  1. Insufficient Site Isolation Against Spectre Vulnerability

    Source raised by a passive scanner (Insufficient Site Isolation Against Spectre Vulnerability)
    CWE ID 693
    WASC ID 14
    Reference
    1. https://developer.mozilla.org/en-US/docs/Web/HTTP/Cross-Origin_Resource_Policy

  2. Timestamp Disclosure - Unix

    Source raised by a passive scanner (Timestamp Disclosure)
    CWE ID 497
    WASC ID 13
    Reference
    1. https://cwe.mitre.org/data/definitions/200.html

  3. X-Content-Type-Options Header Missing

    Source raised by a passive scanner (X-Content-Type-Options Header Missing)
    CWE ID 693
    WASC ID 15
    Reference
    1. https://learn.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/compatibility/gg622941(v=vs.85)
    2. https://owasp.org/www-community/Security_Headers

  4. ZAP is Out of Date

    Source raised by a passive scanner (ZAP is Out of Date)
    CWE ID 1104
    WASC ID 45
    Reference
    1. https://www.zaproxy.org/download/

  5. Sec-Fetch-User Header is Missing

    Source raised by a passive scanner (Fetch Metadata Request Headers)
    CWE ID 352
    WASC ID 9
    Reference
    1. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Sec-Fetch-User

  6. Storable and Cacheable Content

    Source raised by a passive scanner (Content Cacheability)
    CWE ID 524
    WASC ID 13
    Reference
    1. https://datatracker.ietf.org/doc/html/rfc7234
    2. https://datatracker.ietf.org/doc/html/rfc7231
    3. https://www.w3.org/Protocols/rfc2616/rfc2616-sec13.html

  7. Tech Detected - HSTS

    Source raised by other tools/functionalities in ZAP (for example, fuzzer, HTTPS Info add-on, custom scripts...) (plugin ID: 10004)
    WASC ID 13
    Reference
    1. https://www.rfc-editor.org/rfc/rfc6797#section-6.1