diff --git a/src/zap.conf b/src/zap.conf
index 710efbc6f..9a3897c39 100644
--- a/src/zap.conf
+++ b/src/zap.conf
@@ -71,9 +71,9 @@
 10038	OUTOFSCOPE	http://app:8080/domain_requests/
 10038	OUTOFSCOPE	http://app:8080/domains/
 10038	OUTOFSCOPE	http://app:8080/organization/
+10038   OUTOFSCOPE  http://app:8080/permissions
 10038	OUTOFSCOPE	http://app:8080/suborganization/
 10038	OUTOFSCOPE	http://app:8080/transfer/
-10038   OUTOFSCOPE  http://app:8080/permissions
 # This URL always returns 404, so include it as well.
 10038	OUTOFSCOPE	http://app:8080/todo
 # OIDC isn't configured in the test environment and DEBUG=True so this gives a 500 without CSP headers