Web Server Security Misconfiguration

If web servers may be configured improperly, we have to reconfigure them properly. This page gives you checklists for likely misconfiguration.

- [A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration/)

Checklist

• The admin page allows non-admin users to access.
• Directory listing is enabled.
• Test environment is public.
• Default username and password.
• Admin’s password is easy to guess e.g. "admin", "password123", etc.
• The software is out of date or vulnerable version.
• Attacker-friendly error messages are displayed e.g. it reveals the software version.
• A cloud service provider (CSP) has default sharing permissions.
• Unsecure http protocol is used rather than https.

Check CSP (Content-Security-Policy)

We can check if the CSP is vulnerable or not using online tools as below.

• CSP Evaluator

Security Headers

• https://securityheaders.com/