Security misconfiguration — insecure settings, defaults, or configurations — is one of the most common security weaknesses (an OWASP Top 10 risk). It includes exposed defaults, unnecessary features, verbose errors, and missing hardening. Avoiding it requires secure, deliberate configuration.
Common misconfigurations
✗ INSECURE DEFAULTS left unchanged → default passwords, default accounts, sample content
✗ Unnecessary FEATURES/services/ports enabled → larger attack surface
✗ VERBOSE ERRORS in production → stack traces leaking internal details to attackers
✗ Missing SECURITY HEADERS; misconfigured CORS (allow-all); directory listing enabled
✗ Exposed admin/management interfaces or debug endpoints publicly
✗ Cloud misconfigs → public storage buckets, open databases, over-permissive access
✗ Outdated software / unpatched systems; overly permissive file/access permissions
