API7:2019 — Security misconfiguration

Poor configuration of the API servers allows attackers to exploit them.

All kinds of configuration errors can leave gaping holes in the protection of your API server.

Use case

  • Unpatched systems
  • Unprotected files and directories
  • Unhardened images
  • Missing, outdated, or misconfigured TLS
  • Exposed storage or server management panels
  • Missing CORS policy or security headers
  • Error messages with stack traces
  • Unnecessary features enabled

How to prevent

  • Establish repeatable hardening and patching processes.
  • Automate locating configuration flaws.
  • Disable unnecessary features.
  • Restrict administrative access.
  • Define and enforce all outputs, including errors.