After this lesson, you will be able to: Recognize, find, and fix Security Misconfiguration (OWASP A05): insecure defaults, exposed services, and over-permissive settings.
Security Misconfiguration is OWASP A05: the system is built from secure parts but configured insecurely. Default credentials, verbose error pages, open cloud storage, unnecessary features enabled, and missing security headers all fall here. It is the most common category to introduce by accident.
Misconfiguration is a security-relevant setting left wrong: default or weak admin credentials still active, directory listing enabled, detailed stack traces shown to users, cloud storage buckets set to public, unused ports/services/features enabled, missing security headers (HSTS, CSP, X-Content-Type-Options), or out-of-the-box sample apps left in production. The software is fine; the deployment is not.
Misconfiguration is found by scanning and config review.
Run a vulnerability scanner / config checker (Nikto, OWASP ZAP, cloud config tools) against the target.
Check for default credentials on every admin panel, database, and device.
Look at error responses: do stack traces, framework versions, or paths leak?
Review cloud storage and IAM: any public buckets, over-broad policies, or open security groups?
Check security headers with a tool like securityheaders.com; missing HSTS/CSP is a finding.
Look for sample/admin/debug endpoints left enabled in production.
Harden by default and automate the checks.
# FIX CHECKLIST# - Change/disable all default credentials; no shared admin logins.# - Disable directory listing, debug mode, and verbose errors in prod.# - Return generic error pages; log details server-side only.# - Lock down cloud storage: deny public access by default; least-privilege IAM.# - Remove unused features, ports, services, sample apps.# - Set security headers (example, Express + helmet):import helmet from 'helmet';app.use(helmet()); // HSTS, CSP defaults, X-Content-Type-Options, etc.# - Automate it: a hardening baseline + config scanning in CI so a# misconfiguration fails the build instead of reaching production.
Pick the best answer.
Sign in and purchase access to unlock this lesson.