A05 Security Misconfiguration
What this means
SiteShadow flagged settings that are overly permissive, unsafe for production, or easy to forget (debug enabled, permissive CORS, public buckets, verbose errors, unsafe headers, etc.).
Why it matters
Misconfigurations can expose systems and data.
- Instant exposure: a single bad toggle can make private data public.
- Wider blast radius: permissive settings make other bugs easier to exploit.
- Common breach root-cause: misconfig is one of the most frequent "how did this happen?" answers.
Safer examples
1) Lock down CORS for authenticated APIs
Avoid Access-Control-Allow-Origin: * when cookies/credentials are involved.
2) Disable debug/verbose errors in production
- Don't leak stack traces, secrets, or internal paths.
- Use structured error codes + safe messages.
3) Use secure HTTP headers
Enable HSTS, frame protection, and sensible CSP where possible.
How SiteShadow detects it (high level)
- Flags known risky config patterns in app/server/proxy configs.
- Detects "dev mode" features left enabled in prod-like contexts.
References
- OWASP Top 10: https://owasp.org/Top10/
---