Flow AccessControl AssignMessage BasicAuthentication Proxy
Name Severity Scopes Tags Links
Bypassing AccessControl policy via True-Client-IP header Critical AccessControl Data Validation CWE-290
API Key is not removed before the request is sent to target system High Proxy Data in Transit CWE-201
AssignMessage request parameters pollution High AssignMessage Data Validation CWE-20
Authorization header is not removed before the request is sent to target system High Proxy Data in Transit CWE-201
Flow accepts confidential data as URL parameters High Flow PreFlow Data in Transit CWE-598
JSONThreatProtection policy is not applied to a request body with JSON type High Flow Data Validation CWE-502 CWE-20
Proxy doesn't have default flow High Proxy Code Quality Data Validation CWE-20
Use of weak hash algorithms High AssignMessage HMAC JavaScript Secure Configuration CWE-327
AccessControl allows all IPs Medium AccessControl Data Validation CWE-290
Condition has undefined variables Medium Step RouteRule Flow Code Quality CWE-570 CWE-571
Flow accepts requests with any method Medium Flow Data Validation CWE-749
Flow doesn't limit HTTP methods correctly Medium Flow Data Validation CWE-749
Lack of DefaultFaultRule Medium Target Proxy Error Handling CWE-390
MatchesPath is applied to a static parameter Medium Target Proxy Code Quality Data Validation CWE-20
No SpikeArrest policy is applied Medium Proxy Code Quality DoS Protection CWE-770
Unreachable FaultRule Medium Target Proxy Code Quality CWE-561
Unreachable Flow Medium Target Proxy Code Quality CWE-561
Unreachable RouteRule Medium Proxy Code Quality CWE-561
Missing security headers Low Proxy Secure Configuration CWE-523
No mask configuration for the proxy Low Proxy Code Quality