What Misconfiguration Is
Security misconfiguration is the broad category of insecure default settings, incomplete setups, and unnecessary features left enabled across the stack. It spans web servers, frameworks, cloud storage, and containers, and it is consistently one of the most common ways systems are compromised.
Common Examples
- Default credentials left unchanged on admin consoles or databases.
- Verbose error messages that leak stack traces, versions, and internal paths.
- Publicly readable cloud storage buckets that were meant to be private.
- Unused services and ports running with no business need.
Defenses
- Build a repeatable hardened baseline and apply it through infrastructure as code so environments match.
- Remove or disable features, sample apps, and accounts you do not use.
- Return generic error messages to users and keep detailed traces in server logs only.
- Continuously scan and audit configuration to catch drift.
Key idea
Treat configuration as code with a hardened baseline, remove what you do not need, and continuously audit for drift to close this common attack surface.