Why are some Assess rules disabled by default?

  • Updated

Question

Why are some Assess rules disabled by default?

Answer

All Contrast rules are production ready. However for various reasons, some are disabled by default. This is a decision taken by the Contrast Security team around how valuable these rules are to the majority of customers. For example:

  • Automatic Escaping Disabled only applies to old Play! applications.
  • HTTP Header Injection is not a concern unless you're using extremely old application servers.
  • Regular Expression DoS adds a limited performance impact, which is why it's off by default.

Was this article helpful?

2 out of 2 found this helpful

Have more questions? Submit a request