90% of successful attacks exploit misconfiguration, not zero-day exploits. Default passwords, open ports, verbose errors — real attack vectors.
Common Mistakes¶
- Default credentials (admin/admin)
- Detailed error messages in production
- Unsecured S3 bucket
- Outdated software
- Directory listing enabled
Hardening — Nginx¶
server_tokens off; add_header X-Frame-Options “SAMEORIGIN” always; add_header X-Content-Type-Options “nosniff” always; add_header Strict-Transport-Security “max-age=31536000; includeSubDomains” always; add_header Content-Security-Policy “default-src ‘self’” always; client_max_body_size 10m;
Cloud — AWS S3¶
Terraform — enforce private S3¶
resource “aws_s3_bucket_public_access_block” “private” { bucket = aws_s3_bucket.main.id block_public_acls = true block_public_policy = true ignore_public_acls = true restrict_public_buckets = true }
Automation¶
- IaC: Terraform, Pulumi — versioned configuration
- CIS Benchmarks: automated audits
- CSPM: Prowler, ScoutSuite
- Ansible: automated hardening
Key Takeaway¶
Automate configuration via IaC, scan regularly, remove defaults. Misconfiguration is the easiest attack vector — and the easiest to fix.