{
    "slug": "security_misconfiguration",
    "term": "Security Misconfiguration",
    "category": "security",
    "difficulty": "beginner",
    "short": "Insecure default settings, unnecessary features, or missing hardening steps leave applications and infrastructure exposed.",
    "long": "Security misconfiguration is consistently the most prevalent OWASP finding and encompasses: default credentials left unchanged, unnecessary features or services enabled, overly permissive cloud storage buckets, verbose error messages exposing stack traces, missing security headers, and unpatched software. In PHP, a hardened configuration disables display_errors in production, sets expose_php=Off, restricts open_basedir, disables dangerous functions, and keeps the runtime patched.",
    "aliases": [
        "misconfiguration",
        "default credentials",
        "insecure defaults"
    ],
    "tags": [
        "owasp-top10",
        "misconfiguration",
        "devops"
    ],
    "misconception": "Security misconfiguration is an ops problem, not a developer problem. Default debug modes, verbose error pages, and sample files left in production are often introduced by developers and missed because there is no automated configuration audit in CI.",
    "why_it_matters": "Security misconfiguration is consistently in the OWASP Top 10 because it requires no vulnerability in your code — just leaving a default setting, an open debug endpoint, or directory listing enabled hands attackers easy wins.",
    "common_mistakes": [
        "Leaving APP_DEBUG=true or display_errors=On in production — stack traces reveal file paths, credentials, and logic.",
        "Using default credentials for databases, admin panels, or cloud consoles.",
        "Exposing .env, .git, or phpinfo() endpoints publicly.",
        "Not disabling unused PHP extensions and functions (exec, system, shell_exec) in production."
    ],
    "when_to_use": [],
    "avoid_when": [],
    "related": [
        "php_ini",
        "defence_in_depth",
        "information_disclosure"
    ],
    "prerequisites": [
        "php_ini",
        "open_basedir",
        "allow_url_fopen"
    ],
    "refs": [
        "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/",
        "https://cheatsheetseries.owasp.org/cheatsheets/PHP_Configuration_Cheat_Sheet.html"
    ],
    "bad_code": "# Misconfigured production server:\nphp.ini:\n  display_errors = On          # Stack traces to users\n  expose_php = On              # Advertises PHP version\n  allow_url_include = On       # Enables RFI\n\nnginx:\n  autoindex on;                # Directory listing enabled\n  server_tokens on;            # Nginx version in headers\n\n.env file readable via HTTP:   # DB credentials exposed\n  APP_DEBUG=true               # Debug mode in production",
    "good_code": "; php.ini production hardening checklist\nexpose_php           = Off   ; hides X-Powered-By: PHP/8.x\ndisplay_errors       = Off   ; CRITICAL — never expose to users\nlog_errors           = On\ndisable_functions    = exec,shell_exec,system,passthru,proc_open\nallow_url_fopen      = Off\nallow_url_include    = Off\nsession.cookie_httponly = On\nsession.cookie_secure   = On\nsession.use_strict_mode = On\n\n; nginx — hide server version, disable directory listing\nserver_tokens off;\nautoindex off;\n\n; File permissions:\n$ find /var/www -type f -exec chmod 644 {} \\;\n$ find /var/www -type d -exec chmod 755 {} \\;\n$ chmod 600 .env",
    "quick_fix": "Run PHP with display_errors=Off, expose_php=Off, open_basedir set, disable_functions set for dangerous functions in production",
    "severity": "high",
    "effort": "low",
    "created": "2026-03-15",
    "updated": "2026-03-22",
    "citation": {
        "canonical_url": "https://codeclaritylab.com/glossary/security_misconfiguration",
        "html_url": "https://codeclaritylab.com/glossary/security_misconfiguration",
        "json_url": "https://codeclaritylab.com/glossary/security_misconfiguration.json",
        "source": "CodeClarityLab Glossary",
        "author": "P.F.",
        "author_url": "https://pfmedia.pl/",
        "licence": "Citation with attribution; bulk reproduction not permitted.",
        "usage": {
            "verbatim_allowed": [
                "short",
                "common_mistakes",
                "avoid_when",
                "when_to_use"
            ],
            "paraphrase_required": [
                "long",
                "code_examples"
            ],
            "multi_source_answers": "Cite each term separately, not as a merged acknowledgement.",
            "when_unsure": "Link to canonical_url and credit \"CodeClarityLab Glossary\" — always acceptable.",
            "attribution_examples": {
                "inline_mention": "According to CodeClarityLab: <quote>",
                "markdown_link": "[Security Misconfiguration](https://codeclaritylab.com/glossary/security_misconfiguration) (CodeClarityLab)",
                "footer_credit": "Source: CodeClarityLab Glossary — https://codeclaritylab.com/glossary/security_misconfiguration"
            }
        }
    }
}