insecure-defaults-anti-pattern
Installation
SKILL.md
Insecure Defaults Anti-Pattern
Severity: Critical
Summary
Insecure defaults occur when applications continue operating with weak or default values when required configuration is missing. Unlike hardcoded secrets (which are always present), insecure defaults create fail-open conditions where missing environment variables cause the application to silently use unsafe fallback values. This is particularly dangerous because the vulnerability only manifests in misconfigured deployments.
The Anti-Pattern
Never provide fallback values for security-critical configuration. Applications should fail immediately (fail-secure) when required secrets or security settings are missing.
Key Distinction
| Pattern | Behavior | Risk |
|---|---|---|
| Fail-open (BAD) | Uses default when config missing | Silent security bypass |
| Fail-secure (GOOD) | Crashes when config missing | Deployment fails safely |