TL;DR
Security misconfiguration is an umbrella term for settings and defaults that leave your app vulnerable. This includes default credentials, verbose error messages, missing security headers, open cloud storage, and debug modes in production. Most are easy to fix once you know to look for them.
What Is Security Misconfiguration?
Security misconfiguration happens when security settings are missing, incorrectly configured, or left at insecure defaults. Unlike vulnerabilities in code, these are issues with how your application and infrastructure are set up.
Common Misconfigurations
1. Verbose Error Messages
// Production error response that reveals too much:
{
"error": "DatabaseError: relation \"users\" does not exist",
"stack": "at Query.run (/app/node_modules/pg/lib/query.js:83:17)\n
at Client.query (/app/node_modules/pg/lib/client.js:476:10)\n
at /app/src/api/users.ts:42:15",
"query": "SELECT * FROM users WHERE id = $1",
"database": "postgres://admin:password123@db.internal:5432/myapp"
}
This tells attackers your database type, table names, file paths, and even credentials.
// Production error response
{
"error": "An error occurred. Please try again.",
"requestId": "req_abc123" // For internal debugging
}
// Log full details server-side, not to the user
2. Missing Security Headers
| Header | Purpose | Recommended Value |
|---|---|---|
| X-Content-Type-Options | Prevent MIME sniffing | nosniff |
| X-Frame-Options | Prevent clickjacking | DENY or SAMEORIGIN |
| Strict-Transport-Security | Enforce HTTPS | max-age=31536000; includeSubDomains |
| Content-Security-Policy | Prevent XSS | Varies by app |
3. Default Credentials
Services often ship with default passwords that attackers know:
- Database: postgres/postgres, root/(empty), admin/admin
- Admin panels: admin/admin, admin/password
- Routers/devices: admin/admin, admin/1234
4. Debug Mode in Production
// Next.js with debug enabled
module.exports = {
reactStrictMode: true,
// DANGER: Never in production
productionBrowserSourceMaps: true
};
// Express with verbose errors
app.use((err, req, res, next) => {
res.status(500).json({
error: err.message,
stack: err.stack // DANGER: Exposes internals
});
});
5. Open Cloud Storage
AWS S3 buckets and Firebase Storage are often misconfigured with public access. Always verify your storage permissions only allow intended access.
6. Unnecessary Features Enabled
- Directory listing on web servers
- Unused HTTP methods (PUT, DELETE on static servers)
- Admin endpoints without authentication
- GraphQL introspection in production
Misconfiguration in Vibe-Coded Apps
AI-generated code often uses development-friendly defaults that aren't production-safe:
- CORS set to
origin: '*' - Debug logging enabled
- Stack traces in error responses
- Source maps exposed
How do I find misconfigurations in my app?
Run a security scanner, check security headers with tools like securityheaders.com, review your hosting platform's security settings, and audit your environment variables and configuration files.
Are default Vercel/Netlify settings secure?
Modern hosting platforms have good defaults, but you should still add security headers, restrict CORS to your domains, and ensure environment variables aren't exposed to the client.
Find Misconfigurations
Our scanner checks security headers, CORS, and common misconfigurations.
Start Free Scan