安全配置错误 — 不安全的设置、默认值或配置 — 是最常见的安全漏洞之一(OWASP Top 10 风险)。它包括暴露的默认值、不必要的功能、详细的错误消息和缺失的加固。避免它需要安全、有意的配置。
常见的配置错误
text
✗ INSECURE DEFAULTS left unchanged → default passwords, default accounts, sample content
✗ Unnecessary FEATURES/services/ports enabled → larger attack surface
✗ VERBOSE ERRORS in production → stack traces leaking internal details to attackers
✗ Missing SECURITY HEADERS; misconfigured CORS (allow-all); directory listing enabled
✗ Exposed admin/management interfaces or debug endpoints publicly
✗ Cloud misconfigs → public storage buckets, open databases, over-permissive access
✗ Outdated software / unpatched systems; overly permissive file/access permissions
如何避免它
text
✓ SECURE DEFAULTS & HARDENING → change defaults; disable/remove what's not needed;
follow hardening guides (least functionality)
✓ Don't expose detailed ERRORS in production (generic messages; log details internally)
✓ Secure configuration as CODE (IaC) → consistent, reviewable, repeatable configs
✓ Separate configs per environment; no debug/dev settings in production
✓ Regular CONFIGURATION REVIEWS / scanning (automated config/posture checks)
✓ Keep software PATCHED; apply least privilege to configs and permissions