What is A02 (Security Misconfiguration (OWASP A02:2025))?

Updated

OWASP Top 10 item #2 (moved up from #5 in 2021). The umbrella for default-config / unhardened-defaults / verbose-error-leakage / open-cloud-storage classes. 16 CWEs map into this category; 3.00% of tested apps had at least one.

Full explanation

Security misconfiguration includes: unchanged default credentials, unnecessary features enabled (debug endpoints, verbose error pages), missing security headers (CSP, HSTS, X-Frame-Options), open S3 buckets / publicly-readable databases, permissive CORS, missing or default RLS in Supabase, exposed admin interfaces, outdated/known-vulnerable software with default config. Vibe-coded apps trip this constantly because AI-generated scaffolding ships with permissive defaults. Mitigation = hardened defaults at scaffold time + automated config audit on every deploy + the standard 'turn off what you don't need' hygiene.

Example

A new Supabase project is created. The developer adds tables but never runs `alter table T enable row level security`. Default = RLS disabled = anon key reads every row in every table. The misconfiguration is that the default ships permissive instead of restrictive.

Related

Guide
Supabase RLS misconfiguration — detect, exploit, and fix
Guide
Security headers in Next.js — HSTS, CSP, frame-ancestors, complete config
Guide
CORS misconfiguration — how `Access-Control-Allow-Origin: *` breaks your app
CVE
CVE-2025-XXXX
CVE
CVE-2024-XXXX

FAQ

Why did this jump from #5 to #2?

Cloud-default permissiveness + AI-generated scaffolding have made misconfigurations the second-most-frequent finding class. Auto-generated apps ship with debug endpoints, default CORS=*, default RLS-off, missing security headers — all in one bundle.

How do I audit?

Run a misconfiguration scan on every deploy. Securie's static-rules + iac_security specialists cover Next.js / Supabase / Vercel / Terraform / GitHub Actions defaults.