Don't use defaults
May 07, 2017
Recently I bought simple LTE router. While reading through manual I noticed something interesting.
Why leaving insecure defaults can be a problem?
Everyone who buys this model will have the same settings. For example accessing the main router dashboard. Just type 192.168.1.1 and admin/admin. You are inside!
Isn’t that a little bit dangerous?
I think yes. Then I thought about all this tools and frameworks that we use to build web applications. Do we really change their security default settings?
Leaving insecure defaults can lead to for example MongoDB hack. Imagine how this can affect your customer.
What can you do?
I use mostly Django for web applications. As you may know, Django comes
default, this panel is under
host/admin. So far so good but what if
you don’t change it in production? If attacker will recognize that your
web server is using Django he/she will first try to look for admin on
default address. You can change that by providing
This is one of the examples how to change even this innocent looking settings to make it harder or prevent an attacker from accessing your data.
Change insecure default settings in production!
That’s all for today! This was my first blog post from category opinion so feel free to comment on my opinions.
Written by Krzysztof Żuraw who lives and works in Wrocław. About page.