Hi there,
I’ll do my best to address your questions.
- CSRT does a “best effort” attempt on some of the security requirements. In many cases, we cannot determine what is and what is not in scope. We instead report everything and you can then interpret these results. This is why we do not create tickets on Requirement #5 as the results are subjective and full of false positives. You are welcomed and encouraged to file a bug report/feature request for CSRT at: Issues · atlassian-labs/connect-security-req-tester · GitHub
- You can use
AP.context.getToken()in situations where you need to ensure you have a fresh and valid JWT token. This will potentially require a re-design, but the functionality does exist. You can reference these other resources for additional information: - I believe this was answered in #2 via the suggestions provided.