ISO 27001:2022 A.8.9
Configuration management
UnveilScan findings mapped to this control
The scanner emits 36 distinct findings on this control. Click "Scan a domain" below to see which of them currently apply to your site, with copy-paste remediation snippets (nginx, Apache, DNS BIND, web-server config).
dns.dev_staging_surface
⏱ 15 min
DNS — Dev staging surface
Risk if ignored: Low impact, mostly a maturity signal. Fix when you next touch this area.
operational
Also maps to 1 other control
dns.zone_transfer_open
⏱ 30 min
DNS — Zone transfer open
Risk if ignored: The entire zone (every A/AAAA/CNAME/TXT record, including internal hosts) is publicly downloadable — attackers get your full asset map for free.
security
email.smtp_banner_leak
⏱ 15 min
EMAIL — Smtp banner leak
Risk if ignored: Exact MTA software + OS version hands attackers a precise CVE-matching target.
security
Also maps to 1 other control
tls.shadow_infrastructure
⏱ 15 min
TLS — Shadow infrastructure
Risk if ignored: Low impact, mostly a maturity signal. Fix when you next touch this area.
operational
Also maps to 1 other control
web.ai_manifest_mcp_config_json
⏱ 15 min
WEB — Ai manifest mcp config json
Risk if ignored: Low impact, mostly a maturity signal. Fix when you next touch this area.
operational
web.api.actuator
⏱ 15 min
WEB — Api.actuator
Risk if ignored: Low impact, mostly a maturity signal. Fix when you next touch this area.
operational
Also maps to 1 other control
web.api.actuator_beans
⏱ 15 min
WEB — Api.actuator beans
Risk if ignored: Low impact, mostly a maturity signal. Fix when you next touch this area.
operational
web.api.actuator_env
⏱ 30 min
WEB — Api.actuator env
Risk if ignored: Spring Actuator /env dumps the entire application configuration, including DB strings and API keys.
security financial
Also maps to 2 other controls
web.api.actuator_mappings
⏱ 15 min
WEB — Api.actuator mappings
Risk if ignored: Low impact, mostly a maturity signal. Fix when you next touch this area.
operational
web.api.api_swagger_json
⏱ 15 min
WEB — Api.api swagger json
Risk if ignored: Low impact, mostly a maturity signal. Fix when you next touch this area.
operational
web.api.bare_env
⏱ 15 min
WEB — Api.bare env
Risk if ignored: Low impact, mostly a maturity signal. Fix when you next touch this area.
operational
web.api.go_pprof
⏱ 30 min
WEB — Api.go pprof
Risk if ignored: pprof exposes goroutine + heap profiling. Profile requests can also DoS the service.
security operational
Also maps to 1 other control
web.api.prometheus_metrics
⏱ 15 min
WEB — Api.prometheus metrics
Risk if ignored: Low impact, mostly a maturity signal. Fix when you next touch this area.
operational
Also maps to 1 other control
web.api.springdoc_v3
⏱ 15 min
WEB — Api.springdoc v3
Risk if ignored: Low impact, mostly a maturity signal. Fix when you next touch this area.
operational
web.api.springfox_v2
⏱ 15 min
WEB — Api.springfox v2
Risk if ignored: Low impact, mostly a maturity signal. Fix when you next touch this area.
operational
web.debug_error_messages
⏱ 1h
WEB — Debug error messages
Risk if ignored: Stack traces and framework debug output tell an attacker the exact runtime + version + relative paths of the codebase, accelerating CVE-matching and pinpointing exploitable endpoints. Many real-world breaches start with a leaked traceback confirming a framework is in scope for a known deserialization or templating CVE.
security operational
web.directory_listing
⏱ 30 min
WEB — Directory listing
Risk if ignored: Anyone crawling your site discovers every uploaded file. Common exposures: customer invoices, HR exports, backup images, forgotten test files with credentials.
security privacy
Also maps to 1 other control
web.drupal_changelog_exposed
⏱ 5 min
WEB — Drupal changelog exposed
Risk if ignored: /core/CHANGELOG.txt leaks the exact Drupal version + release dates, letting an attacker correlate to CVEs without any fingerprint guesswork.
security
Also maps to 1 other control
web.favicon_fingerprint
⏱ 15 min
WEB — Favicon fingerprint
Risk if ignored: Low impact, mostly a maturity signal. Fix when you next touch this area.
operational
web.http_method_patch
⏱ 15 min
WEB — Http method patch
Risk if ignored: Low impact, mostly a maturity signal. Fix when you next touch this area.
operational
web.http_method_propfind
⏱ 15 min
WEB — Http method propfind
Risk if ignored: Low impact, mostly a maturity signal. Fix when you next touch this area.
operational
Also maps to 1 other control
web.http_method_trace
⏱ 10 min
WEB — Http method trace
Risk if ignored: TRACE enables Cross-Site Tracing (XST): a hostile page harvests HTTP-only cookies through XHR. Rare but trivially exploitable when present.
security
Also maps to 2 other controls
web.http_trace_enabled
⏱ 15 min
WEB — Http trace enabled
Risk if ignored: Classic XST: a compromised or malicious same-origin JS can steal HTTP-only cookies via XHR TRACE.
security
Also maps to 1 other control
web.leak.debug_pprof
⏱ 15 min
WEB — Leak.debug pprof
Risk if ignored: Low impact, mostly a maturity signal. Fix when you next touch this area.
operational
Also maps to 1 other control
web.leak.debug_vars
⏱ 15 min
WEB — Leak.debug vars
Risk if ignored: Low impact, mostly a maturity signal. Fix when you next touch this area.
operational
web.leak.laravel_telescope
⏱ 15 min
WEB — Leak.laravel telescope
Risk if ignored: Low impact, mostly a maturity signal. Fix when you next touch this area.
operational
Also maps to 1 other control
web.leak.next_hmr
⏱ 15 min
WEB — Leak.next hmr
Risk if ignored: Low impact, mostly a maturity signal. Fix when you next touch this area.
operational
web.leak.symfony_profiler
⏱ 15 min
WEB — Leak.symfony profiler
Risk if ignored: Low impact, mostly a maturity signal. Fix when you next touch this area.
operational
Also maps to 1 other control
web.pwa_manifest_leak
⏱ 15 min
WEB — Pwa manifest leak
Risk if ignored: Low impact, mostly a maturity signal. Fix when you next touch this area.
operational
web.robots_sensitive_paths
⏱ 15 min
WEB — Robots sensitive paths
Risk if ignored: Low impact, mostly a maturity signal. Fix when you next touch this area.
operational
Also maps to 1 other control
web.tomcat_default_banner
⏱ 30 min
WEB — Tomcat default banner
Risk if ignored: Default Tomcat Server header leaks software identity (and sometimes version) — accelerates CVE mapping. Default installs commonly also ship /manager/, /examples/, /docs/ which expand the attack surface.
security operational
Also maps to 1 other control
web.tomcat_default_root_page
⏱ 15 min
WEB — Tomcat default root page
Risk if ignored: Default Tomcat ROOT landing page reachable on the apex is the strongest signal of an unhardened production host. It correlates with /manager/, /host-manager/, /examples/, /docs/ also being deployed — each with its own CVE history.
security operational
Also maps to 2 other controls
web.wayback.config
⏱ 15 min
WEB — Wayback.config
Risk if ignored: Low impact, mostly a maturity signal. Fix when you next touch this area.
operational
web.wayback.debug
⏱ 15 min
WEB — Wayback.debug
Risk if ignored: Low impact, mostly a maturity signal. Fix when you next touch this area.
operational
Also maps to 1 other control
web.wp_readme_exposed
⏱ 5 min
WEB — Wp readme exposed
Risk if ignored: /readme.html leaks the exact WordPress version, accelerating reconnaissance for an attacker matching CVEs to your install.
security
Also maps to 1 other control
web.wp_xmlrpc_enabled
⏱ 15 min
WEB — Wp xmlrpc enabled
Risk if ignored: ~1000 password attempts per HTTP request via system.multicall. Also weaponisable for pingback DDoS against third parties.
security reputational