Why are some Assess rules disabled by default?

Question

Why are some Assess rules disabled by default?

Answer

All Contrast rules are production ready. However for various reasons, some are disabled by default. This is a decision taken by the Contrast Security team around how valuable these rules are to the majority of customers. For example:

• Automatic Escaping Disabled only applies to old Play! applications.
• HTTP Header Injection is not a concern unless you're using extremely old application servers.
• Regular Expression DoS adds a limited performance impact, which is why it's off by default.