SCP10 Configuration
What this means
SiteShadow flagged configuration defaults or environment-specific settings that can create security risk (debug features enabled, permissive CORS, weak headers, unsafe deployment flags, overly broad permissions).
Why it matters
Misconfiguration is a common source of security incidents.
- Accidental exposure: debug endpoints, admin consoles, or verbose errors in production.
- Policy bypass: permissive CORS/headers/auth toggles undermine app-level controls.
- Cloud/container risk: overly broad IAM, public buckets, privileged containers (see
CLOUD01/CONTAINER01).
Safer examples
1) Use "secure by default" configuration
Disable debug modes, disable directory listings, require auth, and set safe security headers.
2) Make risky settings explicit and environment-scoped
Only allow insecure toggles in local/dev, and make production refuse to start if they're enabled.
3) Automate configuration checks in CI/CD
Validate IaC/K8s/Docker settings and enforce security gates (see CICD01 / K8S01-04).
How SiteShadow detects it (high level)
- Detects risky config flags and weak defaults in app config, infra config, and container/K8s manifests.
- Flags mismatches between environment (prod) and security-critical settings (debug, CORS, headers, TLS).
References
- OWASP Secure Coding Practices: https://owasp.org/www-project-secure-coding-practices-quick-reference-guide/
---