CWE-16: Configuration

Overview

Configuration vulnerabilities occur when applications or systems are deployed with insecure settings, missing security controls, or default configurations that expose attack surfaces. This broad category encompasses misconfigured security headers, debug mode enabled in production, exposed administrative interfaces, default credentials, improperly configured authentication mechanisms, and weak cryptographic settings. Configuration issues often stem from incomplete security hardening, lack of security awareness during deployment, or failure to follow secure configuration baselines.

OWASP Classification

A02:2025 - Security Misconfiguration

Risk

Low to High: Impact varies significantly based on the specific misconfiguration. Informational findings like missing security headers have low impact, while misconfigurations enabling authentication bypass, remote code execution, or data exposure are critical. Configuration vulnerabilities are among the most common security issues and often provide the initial foothold for sophisticated attacks.

Remediation Steps

Core principle: Never deploy with default or insecure configurations; all production deployments must follow security hardening guidelines with disabled debug modes, proper security headers, and least-privilege access controls.

Identify the Specific Configuration Issue

Review the security scan results to determine the exact misconfiguration:

• Security headers: Missing Content-Security-Policy, X-Frame-Options, HSTS, X-Content-Type-Options
• Debug/Verbose mode: Stack traces visible, detailed error messages, development mode enabled
• Default settings: Default admin credentials, sample applications, unnecessary services enabled
• Exposed interfaces: Admin panels, database management tools, API documentation accessible without authentication
• Weak TLS/SSL: Outdated protocols (SSLv3, TLS 1.0), weak ciphers, missing certificate validation
• Permissions: Overly permissive file/directory permissions, world-readable sensitive files

Apply Security Hardening

Implement configuration changes based on the specific issue:

Security Headers

Content-Security-Policy: default-src 'self'
X-Frame-Options: DENY
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: geolocation=(), microphone=(), camera=()

Debug/Production Mode

• Set environment to production (NODE_ENV=production, DEBUG=false, app.debug = False)
• Disable stack traces and verbose error messages for end users
• Remove development/test accounts and endpoints

Default Credentials

• Change all default passwords immediately
• Remove or disable default administrative accounts
• Require strong passwords for all accounts

Access Controls

• Restrict admin interfaces to internal networks only
• Require authentication for all sensitive endpoints
• Implement proper role-based access control (RBAC)

Follow Security Configuration Baselines

Use industry-standard hardening guides:

• CIS Benchmarks: Center for Internet Security configuration standards
• OWASP ASVS: Application Security Verification Standard configuration requirements
• NIST SP 800-53: Security and Privacy Controls
• Platform-specific guides: AWS Security Best Practices, Azure Security Baseline, etc.

Implement Configuration Management

• Version control: Store configurations in version control (excluding secrets)
• Infrastructure as Code: Use Terraform, CloudFormation, Ansible for reproducible deployments
• Secret management: Use HashiCorp Vault, AWS Secrets Manager, Azure Key Vault for credentials
• Configuration validation: Automated scanning of configurations before deployment
• Separate environments: Different configurations for dev, staging, production

Regular Security Audits

• Periodic configuration reviews against security baselines
• Automated configuration scanning (e.g., AWS Config, Azure Policy)
• Penetration testing to identify configuration weaknesses
• Security header testing (securityheaders.com, Mozilla Observatory)

Dynamic Scan Guidance

For guidance on remediating this CWE when detected by dynamic (DAST) scanners:

• Dynamic Scan Guidance - Analyzing DAST findings and mapping to source code

Additional Resources

• CWE-16: Configuration
• OWASP Top 10 2025 A02: Security Misconfiguration
• OWASP Secure Configuration Guide
• CIS Benchmarks