{
    "slug": "attack_surface",
    "term": "Attack Surface",
    "category": "general",
    "difficulty": "intermediate",
    "short": "The sum of all points where an attacker can try to enter or extract data from a system.",
    "long": "The attack surface of an application includes every endpoint, input field, API route, file upload, authentication mechanism, third-party dependency, and administrative interface that could be targeted. Reducing attack surface — disabling unused features, removing dead code, restricting API access, closing unused ports — is one of the most effective security improvements because it eliminates entire categories of risk rather than mitigating individual vulnerabilities. Regularly audit what is exposed and remove anything not actively needed.",
    "aliases": [
        "attack surface reduction",
        "exposure surface",
        "system attack surface"
    ],
    "tags": [
        "general",
        "security",
        "principles",
        "architecture"
    ],
    "misconception": "Attack surface only refers to public-facing endpoints. Every exposed interface, dependency, service account, open port, and piece of third-party code increases attack surface — including internal APIs, admin panels, and developer tooling accessible from within the network.",
    "why_it_matters": "Attack surface is the sum of all points where an attacker can try to enter or extract data — reducing it by removing unused endpoints, features, and permissions lowers the chance of any single vulnerability being exploited.",
    "common_mistakes": [
        "Leaving development endpoints (phpinfo, test scripts, debug routes) accessible in production.",
        "Unnecessary services running on production servers — each open port is an entry point.",
        "Overly permissive IAM roles or database users — principle of least privilege reduces blast radius.",
        "Not removing unused dependencies — each dependency is part of your attack surface."
    ],
    "when_to_use": [],
    "avoid_when": [],
    "related": [
        "defence_in_depth",
        "principle_of_least_privilege",
        "zero_trust"
    ],
    "prerequisites": [
        "security_by_design",
        "principle_of_least_privilege",
        "security_misconfiguration"
    ],
    "refs": [
        "https://en.wikipedia.org/wiki/Attack_surface",
        "https://cheatsheetseries.owasp.org/cheatsheets/Attack_Surface_Analysis_Cheat_Sheet.html"
    ],
    "bad_code": "// Attack surface expansion:\nrouter()->get('/debug', fn() => phpinfo());          // Dev tool in production\nrouter()->get('/test-email', fn() => sendTestEmail()); // Unauthenticated action\n// MySQL user with GRANT ALL instead of SELECT, INSERT, UPDATE on app_db only\n// Composer with 47 packages when 12 are actually used",
    "good_code": "// Attack surface = all points where untrusted input enters\n// Reduce it: disable unused features, close unused ports\n\n// Audit PHP attack surface:\n\n// 1. Input vectors — every \\$_GET/POST/COOKIE/FILES/SERVER access\n$ grep -r '\\$_GET\\|\\$_POST\\|\\$_COOKIE\\|\\$_FILES\\|php://input' src/\n\n// 2. Outbound — all external HTTP calls (SSRF risk)\n$ grep -r 'file_get_contents\\|curl_init\\|GuzzleHttp' src/\n\n// 3. Shell — command execution (RCE risk)\n$ grep -r 'exec\\|shell_exec\\|system\\|proc_open\\|popen' src/\n\n// 4. File system — include/require with dynamic paths (LFI risk)\n$ grep -r 'include\\|require' src/ | grep '\\\\$'\n\n// 5. Disable what you don't use in php.ini:\n// disable_functions = exec,system,shell_exec,passthru\n// allow_url_include = Off",
    "quick_fix": "Audit every public endpoint, form, file upload, and API — disable or remove anything not actively needed in production",
    "severity": "medium",
    "effort": "medium",
    "created": "2026-03-15",
    "updated": "2026-03-22",
    "citation": {
        "canonical_url": "https://codeclaritylab.com/glossary/attack_surface",
        "html_url": "https://codeclaritylab.com/glossary/attack_surface",
        "json_url": "https://codeclaritylab.com/glossary/attack_surface.json",
        "source": "CodeClarityLab Glossary",
        "author": "P.F.",
        "author_url": "https://pfmedia.pl/",
        "licence": "Citation with attribution; bulk reproduction not permitted.",
        "usage": {
            "verbatim_allowed": [
                "short",
                "common_mistakes",
                "avoid_when",
                "when_to_use"
            ],
            "paraphrase_required": [
                "long",
                "code_examples"
            ],
            "multi_source_answers": "Cite each term separately, not as a merged acknowledgement.",
            "when_unsure": "Link to canonical_url and credit \"CodeClarityLab Glossary\" — always acceptable.",
            "attribution_examples": {
                "inline_mention": "According to CodeClarityLab: <quote>",
                "markdown_link": "[Attack Surface](https://codeclaritylab.com/glossary/attack_surface) (CodeClarityLab)",
                "footer_credit": "Source: CodeClarityLab Glossary — https://codeclaritylab.com/glossary/attack_surface"
            }
        }
    }
}