Definition

Security Misconfiguration occurs when APIs or supporting infrastructure are not securely configured, leaving systems exposed due to weak settings, missing protections, or improper setup.

It is not a single vulnerability, but a collection of basic security failures in configuration and deployment.

Core idea

Even if the code is secure, the system can still be vulnerable if:

• Servers are misconfigured
• Security controls are missing or weak
• Default settings are left unchanged
• Excess permissions are granted

Attackers actively scan for these weaknesses automatically.

Common misconfigurations

• Unpatched systems or outdated software
• Unnecessary services left enabled
• Missing security headers:
  • CORS misconfigured
  • HSTS not enabled
• Weak or missing authentication on APIs
• Overly permissive access controls
• Insecure cookies