API8:2023 Security Misconfiguration

Catch-all for insecure-default settings: CORS reflects origin + credentials, debug mode on in production, default secrets committed to the repo, insecure cookies (no Secure/HttpOnly/SameSite), weak crypto (MD5, SHA-1, ECB), permissive S3 bucket policies, IAM Action: "*".

What Vulkro detects

Several specialised detectors aggregate into this category: web_config (CORS, cookies), config_extras (S3, IAM, JWT alg), crypto_weakness (weak primitives), and secrets (committed credentials).

Non-compliant code (examples)

Express — wildcard CORS with credentials, debug on

app.use(cors({ origin: '*', credentials: true }));
app.set('debug', true);
const SECRET = 'sk_live_4eC39HqLyjWDarjtT1zdp7dc';  // never commit literals

Compliant code (examples)

Express — origin allowlist, prod hardened

app.use(cors({
  origin: ['https://app.example.com'],
  credentials: true,
}));
app.set('debug', false);
const SECRET = process.env.STRIPE_SECRET_KEY;  // load from env, rotate via CI

See also

• Confidence model - what High, Medium, and Low mean for findings in this category.
• Safety - what Vulkro does and does not access on your machine.

References

• CWE-933
• CWE-1004
• CWE-942
• OWASP API8:2023

---

This page is generated by vulkro rules export <out-dir> from the catalog in src/rule_docs.rs. Edits made by hand are overwritten on the next regeneration.