CodeClarityLab / Glossary
Ctrl K
← Home ← Codex ← DEBT
Browse by Category
+ added · updated 7d
Pages
Terms of Use About Contribute 🧠Logic graph Contact
← Back to glossary

Security Misconfiguration

Security CWE-16 OWASP A5:2021 CVSS 7.5 PHP 5.0+ Beginner
debt(d5/e3/b3/t6)
d5 Detectability Operational debt — how invisible misuse is to your safety net

Closest to 'specialist tool catches' (d5) — owasp-zap and lighthouse from detection_hints can find exposed phpinfo/debug pages, but standard CI/linters won't catch php.ini misconfigurations without dedicated scanning.

e3 Effort Remediation debt — work required to fix once spotted

Closest to 'simple parameterised fix' (e3) — quick_fix is changing a handful of php.ini directives (display_errors=Off, expose_php=Off, disable_functions), a small config change rather than code refactor.

b3 Burden Structural debt — long-term weight of choosing wrong

Closest to 'localised tax' (b3) — config lives in deploy/ops layer; once set correctly it doesn't reshape application code, though it requires ongoing audit discipline across environments.

t6 Trap Cognitive debt — how counter-intuitive correct behaviour is

Closest to 'serious trap' (t7) — the misconception field states developers treat this as an ops-only concern, so the 'obvious' assumption (someone else handles config) leads to defaults shipping to production; contradicts the dev-owns-security expectation.

About DEBT scoring → scored by claude-opus-4-7 · 2026-05-11 · reviewed by human

Also Known As

misconfiguration default credentials insecure defaults

TL;DR

Insecure default settings, unnecessary features, or missing hardening steps leave applications and infrastructure exposed.

Explanation

Security misconfiguration is consistently the most prevalent OWASP finding and encompasses: default credentials left unchanged, unnecessary features or services enabled, overly permissive cloud storage buckets, verbose error messages exposing stack traces, missing security headers, and unpatched software. In PHP, a hardened configuration disables display_errors in production, sets expose_php=Off, restricts open_basedir, disables dangerous functions, and keeps the runtime patched.

Common Misconception

Security misconfiguration is an ops problem, not a developer problem. Default debug modes, verbose error pages, and sample files left in production are often introduced by developers and missed because there is no automated configuration audit in CI.

Why It Matters

Security misconfiguration is consistently in the OWASP Top 10 because it requires no vulnerability in your code — just leaving a default setting, an open debug endpoint, or directory listing enabled hands attackers easy wins.

Common Mistakes

  • Leaving APP_DEBUG=true or display_errors=On in production — stack traces reveal file paths, credentials, and logic.
  • Using default credentials for databases, admin panels, or cloud consoles.
  • Exposing .env, .git, or phpinfo() endpoints publicly.
  • Not disabling unused PHP extensions and functions (exec, system, shell_exec) in production.

Code Examples

✗ Vulnerable 
# Misconfigured production server:
php.ini:
  display_errors = On          # Stack traces to users
  expose_php = On              # Advertises PHP version
  allow_url_include = On       # Enables RFI

nginx:
  autoindex on;                # Directory listing enabled
  server_tokens on;            # Nginx version in headers

.env file readable via HTTP:   # DB credentials exposed
  APP_DEBUG=true               # Debug mode in production
✓ Fixed 
; php.ini production hardening checklist
expose_php           = Off   ; hides X-Powered-By: PHP/8.x
display_errors       = Off   ; CRITICAL — never expose to users
log_errors           = On
disable_functions    = exec,shell_exec,system,passthru,proc_open
allow_url_fopen      = Off
allow_url_include    = Off
session.cookie_httponly = On
session.cookie_secure   = On
session.use_strict_mode = On

; nginx — hide server version, disable directory listing
server_tokens off;
autoindex off;

; File permissions:
$ find /var/www -type f -exec chmod 644 {} \;
$ find /var/www -type d -exec chmod 755 {} \;
$ chmod 600 .env
Added 15 Mar 2026
Edited 22 Mar 2026
Views 116

Curated in Warsaw under one editorial standard. 1,506 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
0 pings T 0 pings W 1 ping T 0 pings F 0 pings S 0 pings S 0 pings M 2 pings T 1 ping W 2 pings T 12 pings F 4 pings S 10 pings S 10 pings M 3 pings T 1 ping W 1 ping T 3 pings F 0 pings S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T 2 pings F 2 pings S 1 ping S 0 pings M 2 pings T 0 pings W
Agents 0
No pings yet today
ChatGPT 1 Perplexity 1
Scrapy 41 Perplexity 14 ChatGPT 8 Amazonbot 8 SEMrush 5 Unknown AI 4 Ahrefs 4 Google 4 Claude 2 Bing 2 Majestic 1 Meta AI 1 Common Crawl 1 Sogou 1 PetalBot 1
Also referenced
Information Disclosure 96 php.ini Security Settings 86 Defence in Depth 63
How they use it
crawler 91 crawler_json 3 pre-tracking 3
Related categories
php 13k security 7.8k general 3k
DEV INTEL Tools & Severity
🟠 High ⚙ Fix effort: Low
⚡ Quick Fix
Run PHP with display_errors=Off, expose_php=Off, open_basedir set, disable_functions set for dangerous functions in production
📦 Applies To
PHP 5.0+ web cli
🔗 Prerequisites
🔍 Detection Hints
display_errors=On or expose_php=On in production php.ini or phpinfo() accessible publicly
Auto-detectable: ✓ Yes phpstan owasp-zap lighthouse
⚠ Related Problems
🤖 AI Agent
Confidence: High False Positives: Medium ✗ Manual fix Fix: Medium Context: File
CWE-16 CWE-1188
✓ schema.org compliant