← Back to glossary

Security Misconfiguration

security CWE-16 OWASP A5:2021 CVSS 7.5 PHP 5.0+ Beginner

Also Known As

misconfiguration default credentials insecure defaults

TL;DR

Insecure default settings, unnecessary features, or missing hardening steps leave applications and infrastructure exposed.

Explanation

Security misconfiguration is consistently the most prevalent OWASP finding and encompasses: default credentials left unchanged, unnecessary features or services enabled, overly permissive cloud storage buckets, verbose error messages exposing stack traces, missing security headers, and unpatched software. In PHP, a hardened configuration disables display_errors in production, sets expose_php=Off, restricts open_basedir, disables dangerous functions, and keeps the runtime patched.

Common Misconception

✗ Security misconfiguration is an ops problem, not a developer problem. Default debug modes, verbose error pages, and sample files left in production are often introduced by developers and missed because there is no automated configuration audit in CI.

Why It Matters

Security misconfiguration is consistently in the OWASP Top 10 because it requires no vulnerability in your code — just leaving a default setting, an open debug endpoint, or directory listing enabled hands attackers easy wins.

Common Mistakes

Leaving APP_DEBUG=true or display_errors=On in production — stack traces reveal file paths, credentials, and logic.
Using default credentials for databases, admin panels, or cloud consoles.
Exposing .env, .git, or phpinfo() endpoints publicly.
Not disabling unused PHP extensions and functions (exec, system, shell_exec) in production.

Code Examples

✗ Vulnerable

# Misconfigured production server:
php.ini:
  display_errors = On          # Stack traces to users
  expose_php = On              # Advertises PHP version
  allow_url_include = On       # Enables RFI

nginx:
  autoindex on;                # Directory listing enabled
  server_tokens on;            # Nginx version in headers

.env file readable via HTTP:   # DB credentials exposed
  APP_DEBUG=true               # Debug mode in production

✓ Fixed

; php.ini production hardening checklist
expose_php           = Off   ; hides X-Powered-By: PHP/8.x
display_errors       = Off   ; CRITICAL — never expose to users
log_errors           = On
disable_functions    = exec,shell_exec,system,passthru,proc_open
allow_url_fopen      = Off
allow_url_include    = Off
session.cookie_httponly = On
session.cookie_secure   = On
session.use_strict_mode = On

; nginx — hide server version, disable directory listing
server_tokens off;
autoindex off;

; File permissions:
$ find /var/www -type f -exec chmod 644 {} \;
$ find /var/www -type d -exec chmod 755 {} \;
$ chmod 600 .env

References

Tags

owasp-top10 misconfiguration devops

Added 15 Mar 2026

Edited 22 Mar 2026

Curated in Warsaw under one editorial standard. 1,444 terms, single voice. About this reference →

Rate this term

No ratings yet

🤖 AI Guestbook educational data only

| |

Last 30 days

Agents 0

No pings yet today

No pings yesterday

Perplexity 9 Amazonbot 7 ChatGPT 4 Unknown AI 4 Google 4 Ahrefs 2 Majestic 1 SEMrush 1

Also referenced

Information Disclosure 54 php.ini Security Settings 39 Defence in Depth 29

How they use it

crawler 29 pre-tracking 3

Related categories

php 6.3k security 4k general 1.4k

⚡ DEV INTEL Tools & Severity

🟠 High ⚙ Fix effort: Low

⚡ Quick Fix

Run PHP with display_errors=Off, expose_php=Off, open_basedir set, disable_functions set for dangerous functions in production

📦 Applies To

PHP 5.0+ web cli

🔗 Prerequisites

php.ini Security Settings open_basedir Restriction allow_url_fopen / allow_url_include

🔍 Detection Hints

display_errors=On or expose_php=On in production php.ini or phpinfo() accessible publicly

Auto-detectable: ✓ Yes phpstan owasp-zap lighthouse

⚠ Related Problems

data breach Information Disclosure Privilege Escalation

🤖 AI Agent

Confidence: High False Positives: Medium ✗ Manual fix Fix: Medium Context: File

CWE-16 CWE-1188