[{"data":1,"prerenderedAt":302},["ShallowReactive",2],{"blog-vulnerabilities/security-misconfiguration":3},{"id":4,"title":5,"body":6,"category":282,"date":283,"dateModified":283,"description":284,"draft":285,"extension":286,"faq":287,"featured":285,"headerVariant":288,"image":287,"keywords":287,"meta":289,"navigation":290,"ogDescription":291,"ogTitle":287,"path":292,"readTime":293,"schemaOrg":294,"schemaType":295,"seo":296,"sitemap":297,"stem":298,"tags":299,"twitterCard":300,"__hash__":301},"blog/blog/vulnerabilities/security-misconfiguration.md","Security Misconfiguration Explained",{"type":7,"value":8,"toc":267},"minimark",[9,16,21,24,28,33,48,51,60,64,131,135,138,151,155,164,168,178,182,196,200,203,220,236,255],[10,11,12],"tldr",{},[13,14,15],"p",{},"Security misconfiguration is an umbrella term for settings and defaults that leave your app vulnerable. This includes default credentials, verbose error messages, missing security headers, open cloud storage, and debug modes in production. Most are easy to fix once you know to look for them.",[17,18,20],"h2",{"id":19},"what-is-security-misconfiguration","What Is Security Misconfiguration?",[13,22,23],{},"Security misconfiguration happens when security settings are missing, incorrectly configured, or left at insecure defaults. Unlike vulnerabilities in code, these are issues with how your application and infrastructure are set up.",[17,25,27],{"id":26},"common-misconfigurations","Common Misconfigurations",[29,30,32],"h3",{"id":31},"_1-verbose-error-messages","1. Verbose Error Messages",[34,35,37],"code-block",{"label":36},"Leaking internal details",[38,39,44],"pre",{"className":40,"code":42,"language":43},[41],"language-text","// Production error response that reveals too much:\n{\n  \"error\": \"DatabaseError: relation \\\"users\\\" does not exist\",\n  \"stack\": \"at Query.run (/app/node_modules/pg/lib/query.js:83:17)\\n\n            at Client.query (/app/node_modules/pg/lib/client.js:476:10)\\n\n            at /app/src/api/users.ts:42:15\",\n  \"query\": \"SELECT * FROM users WHERE id = $1\",\n  \"database\": \"postgres://admin:password123@db.internal:5432/myapp\"\n}\n","text",[45,46,42],"code",{"__ignoreMap":47},"",[13,49,50],{},"This tells attackers your database type, table names, file paths, and even credentials.",[34,52,54],{"label":53},"Safe error response",[38,55,58],{"className":56,"code":57,"language":43},[41],"// Production error response\n{\n  \"error\": \"An error occurred. Please try again.\",\n  \"requestId\": \"req_abc123\"  // For internal debugging\n}\n\n// Log full details server-side, not to the user\n",[45,59,57],{"__ignoreMap":47},[29,61,63],{"id":62},"_2-missing-security-headers","2. Missing Security Headers",[65,66,67,83],"table",{},[68,69,70],"thead",{},[71,72,73,77,80],"tr",{},[74,75,76],"th",{},"Header",[74,78,79],{},"Purpose",[74,81,82],{},"Recommended Value",[84,85,86,98,109,120],"tbody",{},[71,87,88,92,95],{},[89,90,91],"td",{},"X-Content-Type-Options",[89,93,94],{},"Prevent MIME sniffing",[89,96,97],{},"nosniff",[71,99,100,103,106],{},[89,101,102],{},"X-Frame-Options",[89,104,105],{},"Prevent clickjacking",[89,107,108],{},"DENY or SAMEORIGIN",[71,110,111,114,117],{},[89,112,113],{},"Strict-Transport-Security",[89,115,116],{},"Enforce HTTPS",[89,118,119],{},"max-age=31536000; includeSubDomains",[71,121,122,125,128],{},[89,123,124],{},"Content-Security-Policy",[89,126,127],{},"Prevent XSS",[89,129,130],{},"Varies by app",[29,132,134],{"id":133},"_3-default-credentials","3. Default Credentials",[13,136,137],{},"Services often ship with default passwords that attackers know:",[139,140,141,145,148],"ul",{},[142,143,144],"li",{},"Database: postgres/postgres, root/(empty), admin/admin",[142,146,147],{},"Admin panels: admin/admin, admin/password",[142,149,150],{},"Routers/devices: admin/admin, admin/1234",[29,152,154],{"id":153},"_4-debug-mode-in-production","4. Debug Mode in Production",[34,156,158],{"label":157},"Dangerous production settings",[38,159,162],{"className":160,"code":161,"language":43},[41],"// Next.js with debug enabled\nmodule.exports = {\n  reactStrictMode: true,\n  // DANGER: Never in production\n  productionBrowserSourceMaps: true\n};\n\n// Express with verbose errors\napp.use((err, req, res, next) => {\n  res.status(500).json({\n    error: err.message,\n    stack: err.stack  // DANGER: Exposes internals\n  });\n});\n",[45,163,161],{"__ignoreMap":47},[29,165,167],{"id":166},"_5-open-cloud-storage","5. Open Cloud Storage",[169,170,171],"warning-box",{},[13,172,173,177],{},[174,175,176],"strong",{},"AWS S3 buckets and Firebase Storage"," are often misconfigured with public access. Always verify your storage permissions only allow intended access.",[29,179,181],{"id":180},"_6-unnecessary-features-enabled","6. Unnecessary Features Enabled",[139,183,184,187,190,193],{},[142,185,186],{},"Directory listing on web servers",[142,188,189],{},"Unused HTTP methods (PUT, DELETE on static servers)",[142,191,192],{},"Admin endpoints without authentication",[142,194,195],{},"GraphQL introspection in production",[17,197,199],{"id":198},"misconfiguration-in-vibe-coded-apps","Misconfiguration in Vibe-Coded Apps",[13,201,202],{},"AI-generated code often uses development-friendly defaults that aren't production-safe:",[139,204,205,211,214,217],{},[142,206,207,208],{},"CORS set to ",[45,209,210],{},"origin: '*'",[142,212,213],{},"Debug logging enabled",[142,215,216],{},"Stack traces in error responses",[142,218,219],{},"Source maps exposed",[221,222,223,230],"faq-section",{},[224,225,227],"faq-item",{"question":226},"How do I find misconfigurations in my app?",[13,228,229],{},"Run a security scanner, check security headers with tools like securityheaders.com, review your hosting platform's security settings, and audit your environment variables and configuration files.",[224,231,233],{"question":232},"Are default Vercel/Netlify settings secure?",[13,234,235],{},"Modern hosting platforms have good defaults, but you should still add security headers, restrict CORS to your domains, and ensure environment variables aren't exposed to the client.",[237,238,239,245,250],"related-articles",{},[240,241],"related-card",{"description":242,"href":243,"title":244},"Misconfigurations are one of 8 attack vectors covered in this guide","/blog/vulnerabilities/how-ai-apps-are-vulnerable","How AI-Generated Apps Are Vulnerable to Attacks",[240,246],{"description":247,"href":248,"title":249},"Implementation guide","/blog/how-to/add-security-headers","Add Security Headers",[240,251],{"description":252,"href":253,"title":254},"Pre-launch security","/blog/checklists/pre-deployment-security-checklist","Deployment Checklist",[256,257,260,264],"cta-box",{"href":258,"label":259},"/","Start Free Scan",[17,261,263],{"id":262},"find-misconfigurations","Find Misconfigurations",[13,265,266],{},"Our scanner checks security headers, CORS, and common misconfigurations.",{"title":47,"searchDepth":268,"depth":268,"links":269},2,[270,271,280,281],{"id":19,"depth":268,"text":20},{"id":26,"depth":268,"text":27,"children":272},[273,275,276,277,278,279],{"id":31,"depth":274,"text":32},3,{"id":62,"depth":274,"text":63},{"id":133,"depth":274,"text":134},{"id":153,"depth":274,"text":154},{"id":166,"depth":274,"text":167},{"id":180,"depth":274,"text":181},{"id":198,"depth":268,"text":199},{"id":262,"depth":268,"text":263},"vulnerabilities","2026-01-20","Security misconfiguration covers default passwords, verbose errors, missing security headers, and exposed admin panels. Learn the common misconfigs in vibe-coded apps.",false,"md",null,"red",{},true,"Learn about common security misconfigurations and how to fix them in your app.","/blog/vulnerabilities/security-misconfiguration","8 min read","[object Object]","TechArticle",{"title":5,"description":284},{"loc":292},"blog/vulnerabilities/security-misconfiguration",[],"summary_large_image","dbHSwqhyfSo8gogDfyrxQwJG8Vat3G7mLKf2ytX7lmk",1775843926532]