API7:2019 — Security misconfiguration

Poor configuration of the API servers allows attackers to exploit them.

All kinds of configuration errors can leave gaping holes in the protection of your API server.

Use case

Unpatched systems
Unprotected files and directories
Unhardened images
Missing, outdated, or misconfigured TLS
Exposed storage or server management panels
Missing CORS policy or security headers
Error messages with stack traces
Unnecessary features enabled

How to prevent

Establish repeatable hardening and patching processes.
Automate locating configuration flaws.
Disable unnecessary features.
Restrict administrative access.
Define and enforce all outputs, including errors.

Copyright 42Crunch 2021