Configuring Active Scan Policies

Scan policies control which vulnerabilities ZAP tests for and how aggressively it tests. Access policy configuration through Analyse > Scan Policy Manager. Default policies provide balanced testing suitable for most applications. However, customization improves efficiency and reduces false positives. Create separate policies for different application types or testing scenarios.

Risk-based policy configuration focuses testing on relevant vulnerabilities. Disable tests for vulnerabilities your application cannot have—LDAP injection tests waste time on applications not using LDAP. Adjust test strength based on time constraints and server capacity. "Low" strength performs basic tests quickly, while "High" strength includes comprehensive payload sets requiring more time. "Medium" strength balances coverage with efficiency for most scenarios.

# Scan Policy Configuration Example
Policy Name: "API Security Testing"
Enabled Rules:
- SQL Injection (High Strength)
- NoSQL Injection (Medium Strength)  
- XML External Entity (High Strength)
- JWT Security (Medium Strength)

Disabled Rules:
- Server Side Include (Not applicable)
- LDAP Injection (No LDAP usage)
- Browser Cache (API responses not cached)

Technology-specific policies improve accuracy by focusing on relevant tests. Create policies for different technology stacks: Java applications, .NET services, PHP sites, or Node.js APIs. Each technology has specific vulnerability patterns worth emphasizing. Modern applications using React or Angular benefit from JavaScript-focused policies. Legacy applications might require tests for older vulnerability types rarely seen in modern frameworks.