OWASP TOP 10 / A05:2021

Security Misconfiguration

Insecure default settings, incomplete configurations, verbose errors, and unnecessary features left enabled.

Misconfiguration spans the whole stack — default credentials, open cloud buckets, unnecessary services, missing security headers, and overly detailed error messages that leak internals. XML external entity (XXE) processing also falls here.

It is extremely common because systems ship insecure by default and configurations drift over time.

How to prevent it

Harden by default, remove unused features, automate configuration, set security headers, and disable verbose errors in production.

Mapped weaknesses (CWE)

CWE-16 CWE-611 XML External Entity (XXE) CWE-732 Incorrect Permission Assignment for Critical Resource CWE-1032

Free tools to test for it

HTTP Headers → SSL Inspector →

Related terms

Web Application Firewall (WAF) Firewall

Part of the OWASP Top 10 reference. See also the CWE weaknesses and Web Security hub.