SiteShadow
Back to vulnerability library
Detected byRegex rules + pattern checksFree

C01 Insecure Defaults

What this means

SiteShadow flagged a configuration or "temporary" setting that weakens security (often added for convenience during development) and can accidentally ship to production.

Why it matters

Safer examples

1) Make production "secure by default"

DEBUG = False
ALLOW_INSECURE = False

2) Fail closed in config

const allowInsecure = process.env.ALLOW_INSECURE === "true";
if (allowInsecure && process.env.NODE_ENV === "production") {
  throw new Error("ALLOW_INSECURE cannot be enabled in production");
}

3) Tighten common foot-guns

How SiteShadow detects it (high level)

References

---

← Back to Vulnerability Library

Catch this in your code with the free tier.

SiteShadow's free tier covers this exact pattern across the 23 OWASP Top 10 single-file checks. Sign in with your work SSO, first-time sign-in auto-issues your free license.