Why are some Assess rules disabled by default?
All Contrast rules are production ready. However for various reasons, some are disabled by default. This is a decision taken by the Contrast Security team around how valuable these rules are to the majority of customers. For example:
- Automatic Escaping Disabled only applies to old Play! applications.
- HTTP Header Injection is not a concern unless you're using extremely old application servers.
- Regular Expression DoS adds a limited performance impact, which is why it's off by default.