Insecure DNS configuration
About A05:2021 — Security Misconfiguration
Security misconfiguration covers all the ways a correctly-coded app still ships insecurely — debug endpoints in production, permissive CORS, missing security headers, default credentials. AI coding tools frequently generate scaffolding with development defaults that should never be deployed.
Impact: Permissive CORS (`Access-Control-Allow-Origin: *` with credentials) lets any website read your authenticated API responses. Debug mode in production leaks stack traces with file paths and library versions, helping attackers find more bugs. Missing CSP makes XSS exploitable when it would otherwise be blocked.
How to fix it: Treat configuration like code: review it, test it, lock it down before production. Use an allowlist for CORS, never `*` with credentials. Disable debug/development features in prod builds. Set the standard security headers (CSP, HSTS, X-Frame-Options, X-Content-Type-Options).
Common patterns in this category:
- CORS configured with `*` origin and credentials enabled
- Debug or development middleware enabled in production
- Missing Content-Security-Policy header
- Missing Strict-Transport-Security header
- Default admin credentials left in place
Compliance coverage
Findings from this rule map to the following framework controls:
See the full compliance coverage page for how XploitScan maps every rule to SOC 2, ISO 27001, and OWASP Top 10 controls.
Scan your code for VC056 and 157 other rules
Free, no signup. Drag and drop a zip or run npx xploitscan scan .