How to Prevent the Most Common Web Security Misconfigurations

misconfigurations as web threats
Share article
twitter linkedin medium facebook

A modern web infrastructure includes a maze of multiple connections between websites, web apps, servers, third-party code, libraries, platforms, cloud services, frameworks, and so on. Programming frameworks, for instance, have simplified the development process, significantly cutting down on the time and effort required to build applications. Yet, these same frameworks often come with complex configurations that can inadvertently heighten the risk of security flaws leading to security misconfigurations. Open-source code, too, is frequently used because it’s versatile and accessible, but it may include default settings that leave security gaps, potentially rendering the application, and the entire stack, vulnerable.

Security misconfigurations are such a common problem that the Open Web Application Security Project (OWASP)  (a non-profit foundation dedicated to improving web software security) puts them at number five on its top 10 chart of the most severe web app security risks. So, in this article, we look at some of the commonest examples and discuss how website owners and developers can keep web security misconfigurations at bay.

Common web security misconfigurations

Insecure default credentials

In 2021, a security researcher discovered that the source code for Nissan North America’s internal mobile apps was left exposed due to someone leaving a default password unchanged on a Git server. Web applications, servers, and databases often come with out-of-the-box usernames and passwords enabled. Not changing these can expose systems to unauthorized access, as attackers will happily trawl through common logins until they gain entry.

For this reason, ‘Change credentials straight away’ should be one of the entries in your secure password policy, which, should also include elements like these:

  • A minimum of 8 characters, including letters, numbers, and symbols,
  • Don’t use common or previously breached passwords
  • Scheduled password changes
  • Add multi-factor authentication
  • Strong discouragement of reusing passwords across accounts
  • The same applies to sharing passwords with others
  • Keep a password history to track passwords and avoid reuse
  • Encrypted password storage

This is only a general guide. It’s worth checking industry-specific requirements as they can vary. For example, PCI-DSS v4.0 calls for at least 12 characters in passwords when protecting customer data.

Insecure default settings

Web apps, servers, and databases also come with default settings that need to be changed. For instance, the default settings for a SaaS-based storage service may allow anyone to gain access, and security features like two-factor authentication and encryption may be options that the user needs to set. Leaving them as they are would constitute a security misconfiguration which could leave data as well as other system components wide open to an opportunist attacker.  Data needs to be encrypted whether it is at rest or in transit in applications or cloud instances to avoid exposing sensitive information.

Enabling unnecessary features

Disable or remove any unnecessary features, modules, or services that your application doesn’t use. Every one of them represents a potential weak point, and by disabling or removing the unnecessary ones, you reduce the size of the attack surface, minimize the number of areas that need to be secured and maintained, and so reduce the overall risk of vulnerabilities being exploited. Reflectiz creates a map of every component in your web infrastructure, so use this as a starting point for establishing what features are necessary.

Excess privileges

Employees and contractors should only be given access to the minimum number of system resources that they need to fulfill their responsibilities. This is known as the principle of least privilege. It works well because it’s a way of limiting the damage that any one person in an organization can do (either accidentally or deliberately) because their actions are contained within the areas that they can access. Allowing them greater privileges than they need would be a security misconfiguration.

The same principle works for system components, too. Using containerization or cloud security groups to separate components and assets in application architecture follows the same idea of isolating elements to contain them, but this can be difficult with tracking technologies that are so intertwined with modern websites. This is why Reflectiz is so useful. The solution discovered forgotten tracking pixels that were still gathering user data long after their permission to do so had expired. It is this kind of security misconfiguration that can expose you to data loss, followed by hefty fines and lawsuits.

Controlling role-based access needs to be baked into policies because people change roles or leave the organization entirely, and temporary staff are even more changeable. 

To ensure this works, you’ll need to have procedures in place to ensure that permissions are reviewed for ex-employees, current employees moving to different roles with different responsibilities, and temporary contractors. This approach cuts down on the potential for security mishaps, and it ties in with the need for robust user authentication and authorization mechanisms.

As for components, Reflectiz can help with mapping them, reviewing what they can access, and where they are sending data. Many security standards and regulations, such as PCI DSS, GDPR, or HIPAA, emphasize the importance of minimizing the attack surface by disabling unnecessary services or features. Compliance with these standards may be easier when the system is streamlined for essential functionality.

Outdated software and libraries

These can contribute to security misconfigurations in web applications because older versions with known security issues can be problematic. For example, if you continue using legacy SSL/TLS protocols or cryptographic ciphers that have known vulnerabilities, you’re essentially missing out on the most up-to-date protections.

Outdated software and libraries may contain unpatched security vulnerabilities, and they will no longer receive security updates, which will leave your system open to threats. Another problem is that older software may not integrate well with newer components, so you end up with more security gaps.

To avoid these problems, regularly update your software, including operating systems, web servers, and application frameworks. Keep track of security patches and apply them promptly. Monitor third-party libraries and components for vulnerabilities and retire unsupported software as quickly as possible. Use tools that identify outdated components and suggest updates, conduct security assessments to identify vulnerabilities, including outdated software, and ensure that your security policy mandates timely updates to ensure that no component gets left behind.

Unsafe error handling

Revealing overly informative error messages or stack traces to users can be a problem because it can reveal enough information about the system for attackers to engineer a hack.

These messages provide clues about the site’s architecture, technologies used, and potential flaws. For instance, revealing stack traces can aid attackers in identifying vulnerabilities. Even when error messages don’t reveal excessive detail, inconsistencies can still provide valuable insights. For example:

  • A “file not found” message indicates the presence of a file.
  • An “access denied” message hints at the existence of restricted files.

Implement proper error handling and logging mechanisms to prevent sensitive information from being leaked to users and to aid in security incident investigation.

Misconfigured security headers

Misconfigured or absent security headers are a potential weak point in client-side security that bad actors will exploit to carry out common attacks like Cross-Site Scripting (XSS), Clickjacking, and Cross-Site Request Forgery (CSRF). Implementing a Content Security Policy will help to mitigate common web vulnerabilities and limit content injection attacks. On the same theme, input fields need to be configured to stop injection attacks by validating and sanitizing all entered data.

Insecure Session Management

Implement secure session management practices, including generating strong session identifiers, setting appropriate session timeouts, and protecting against session fixation and hijacking attacks.

Unpublished URLs not blocked

Unpublished URLs, used by those who maintain applications, are not meant to be accessed by ordinary users. If attackers find them, they can pose a risk, so ensure they are blocked.

Improper application coding practices

Implement proper input/output data validation to avoid code injection attacks which work by injecting code that the application executes.

Inadequate security constraints

Configure security constraints in your web server and application server to restrict access to sensitive resources and directories.

Insecure file uploads

If your application allows file uploads, implement secure file upload practices, such as restricting file types, validating file content, and storing uploaded files in a separate directory outside the web root.

Insecure communication

Use secure communication protocols like HTTPS to protect data in transit and prevent man-in-the-middle attacks.

Intermittent security audits

Conduct regular security audits and penetration testing to identify and address potential security misconfigurations and vulnerabilities.


Reflectiz is the best armor your websites can wear against web security misconfigurations. Our sophisticated platform protects them against vulnerabilities by constantly scanning for code changes, changes to behavior, and attempts at data exfiltration. It identifies malicious scripts and domains, notices changes in your web pages, prioritizes the most severe issues first so your team avoids alert fatigue, and applies blocking on demand, if needed, to close the door on malicious activity.It’s a user-friendly threat detection system that takes a risk-based approach to reporting. It delivers attack intelligence via an intuitive user interface that’s a dream to work with. If you’d like to level up your defenses against web security misconfigurations, sign up today.

Subscribe to our newsletter

Stay updated with the latest news, articles, and insights from Reflectiz.

Your Website looks great!

But what’s happening behind the scenes?

Discover your website blind spots and vulnerabilities before it’s too late!

Try for free