# Configuration (CWE-16)

Weaknesses in this category are typically introduced during the configuration of the product.

- Prevalence: High Frequently exploited
- Impact: Medium Review recommended
- Prevention: Documented 1 fix examples

**OWASP:** Security Misconfiguration (A05:2021-Security Misconfiguration) - #5

## Description

Configuration weaknesses occur when the product is set up in a way that exposes security vulnerabilities. This includes insecure default settings, missing security headers, or improper feature flags.

## Prevention

### Key Practices

- configured at the application
level, not in individual view handlers

### Python

Add HSTS, X-Content-Type-Options, X-Frame-Options, and CSP via middleware

## Warning Signs

- [MEDIUM] Application missing important security headers
- [MEDIUM] missing security headers like HSTS, X-Content-Type-Options,
X-XSS-Protection, Referrer-Policy, and P

## Consequences

- Bypass Protection Mechanism
- Read Application Data
- Gain Privileges

## Mitigations

- Use secure defaults for all configuration options
- Implement security headers (CSP, HSTS, X-Frame-Options, etc.)
- Regularly audit and harden configurations

## Detection

- Total rules: 1
- Languages: python

## Rules by Language

### Python (1 rules)

- **Missing Security Headers** [MEDIUM]: Detects missing security headers like HSTS, X-Content-Type-Options,
X-XSS-Protection, Referrer-Policy, and Permissions-Policy. These headers
provide defense-in-depth against various attacks.

NOTE: This rule only applies to app setup files (settings.py, middleware,
app.py, etc.). Security headers should be configured at the application
level, not in individual view handlers.
  - Remediation: Add security headers via middleware: HSTS, X-Content-Type-Options, X-Frame-Options, and CSP.

```python
from flask import Flask

app = Flask(__name__)

@app.after_request
def set_security_headers(response):
    response.headers['Strict-Transport-Security'] = 'max-age=31536000; includeSubDomains'
    response.headers['X-Content-Type-Options'] = 'nosniff'
    response.headers['X-Frame-Options'] = 'DENY'
    response.headers['Content-Security-Policy'] = "default-src 'self'"
    return response
```

Learn more: https://shoulder.dev/learn/python/cwe-16/missing-security-headers