Security Misconfiguration in APIs (OWASP API #8)

OWASP API #8 — the unglamorous bug class that wins more engagements than any clever exploit. Verbose stack traces, Spring Actuator and Swagger left open, reflected-origin CORS, default credentials and signing keys, dangerous HTTP methods and missing security headers. How each one is found and how to actually shut it.