Misconfig Detector
Scan headers and config files for common security misconfigurations.
Paste Configuration
Paste configuration to analyze
Features
- Paste configuration snippets to detect common security misconfigurations
- Covers: exposed debug endpoints, insecure CORS, default credentials, open admin interfaces
- Pattern matching for Nginx, Apache, Docker Compose, and application configs
- Risk level classification: critical, high, medium, low
- Remediation guidance with secure configuration examples
- Supports YAML, JSON, Nginx config, and plain text
Common Use Cases
- Quick security review of server or application configuration files
- Detect accidentally exposed admin interfaces or debug endpoints
- Audit Docker Compose files for insecure environment variables or exposed ports
- Check Nginx/Apache configs for dangerous options before deploying
- Pre-commit hook to catch security mistakes in configuration
Security Misconfiguration
Security misconfiguration is consistently one of the OWASP Top 10 vulnerabilities. It encompasses a wide range of issues: default credentials, unnecessary features enabled, overly permissive CORS, exposed debug information, and insecure default settings.
Unlike code vulnerabilities that require exploiting logic flaws, misconfigurations often expose open doors directly. Common examples include: debug mode enabled in production, admin interfaces accessible from the internet, default passwords never changed, and verbose error messages revealing stack traces.
Automated misconfiguration detection provides a safety net alongside manual code review, catching patterns that are easy to overlook under development pressure.
Examples
DEBUG=True # CRITICAL: never in productionAccess-Control-Allow-Origin: *
Access-Control-Allow-Credentials: truelocation /admin {
# Missing: allow only internal IPsFrequently Asked Questions
The most frequent are:
- Debug/verbose logging enabled in production
- Default credentials on databases, admin panels, or cloud resources
- Overly permissive CORS (especially wildcard with credentials)
- S3 buckets or cloud storage set to public
- Admin/monitoring interfaces exposed without authentication
- Old software versions with known CVEs
Tools like trivy config, tfsec (for Terraform), kube-bench (for Kubernetes), and cfn-nag (for CloudFormation) can detect misconfigurations in infrastructure-as-code files. Add them to your CI pipeline alongside code linting.
Every component (user, service, container) should have only the minimum permissions needed to perform its function, nothing more. This limits the blast radius if a component is compromised. Apply it to: database users, S3 bucket policies, IAM roles, Kubernetes RBAC, and application service accounts.
π‘ Tips
- Disable all features and services your application doesn't need β reduces attack surface automatically.
- Use environment-specific configuration: strict production settings, relaxed dev/test settings. Never ship dev config to production.
- Rotate all default passwords before the first deployment, not after β treat defaults as compromised from day one.
- Enable security scanning in your CI/CD pipeline to catch misconfigurations before they reach production.