# Web Server Security Misconfiguration

If web servers may be configured improperly, we have to reconfigure them properly. This page gives you checklists for likely misconfiguration.

### Checklist <a href="#checklist" id="checklist"></a>

* The admin page allows **non-admin** users to access.
* **Directory listing** is enabled.
* Test environment is public.
* Default username and password.
* Admin’s password is easy to guess e.g. **"admin"**, **"password123"**, etc.
* The software is **out of date** or **vulnerable** version.
* Attacker-friendly error messages are displayed e.g. it reveals the software version.
* A **cloud service provider (CSP)** has default sharing permissions.
* Unsecure `http` protocol is used rather than `https`.

### Check CSP (Content-Security-Policy) <a href="#check-csp-content-security-policy" id="check-csp-content-security-policy"></a>

We can check if the CSP is vulnerable or not using online tools as below.

* [CSP Evaluator](https://csp-evaluator.withgoogle.com/)

### Security Headers <a href="#security-headers" id="security-headers"></a>

* <https://securityheaders.com/>

### References <a href="#references" id="references"></a>

* [OWASP](https://owasp.org/Top10/A05_2021-Security_Misconfiguration/)