May 19th Zap Scan Results

[alexjanousekGSA]

1. Unexpected Content Type Returned with Option Request. text/html is returned instead of No content - Could fix with :

@app.before_request
def handle_options():
if request.method == 'OPTIONS':
response = make_response('', 204)
response.headers['Access-Control-Allow-Origin'] = '*'
response.headers['Access-Control-Allow-Methods'] = 'GET, POST, PUT, DELETE, OPTIONS'
response.headers['Access-Control-Allow-Headers'] = 'Content-Type, Authorization'
return response

2. Timestamp being returned in openapi endpoint - This is a false positive (its actually a phone number) and is currently being fixed in PR.
3. Add appropriate HTTP headers to some status endpoints to control caching behavior. (could be a false positive?)

[alexjanousekGSA]

Are any of these time sensitive or worth doing @ccostino ?

[ccostino]

Thanks, @alexjanousekGSA! Yes, we should address them, even if to explicitly account for any as false positives. We'll get this prioritized soon! And it looks like number 2 is already being fixed, too?