Fluid Attacks logo
Contact Us
Young hacker smiling
Zero false positives

Expert intelligence + effective automation

Contact logo Contact Us

R266. Disable insecure functionalities

This document details the security guidelines and requirements related to logical architecture management within the organization. This requirement establishes the importance of disabling or controlling system functions that could be harmful for the application.


The organization must disable or carefully control the insecure functions of a system (system hardening).


Sometimes platforms include functionalities that are not required or could be harmful for some applications built on top of or residing in them. Other times, applications are developed including functionalities that allow actions that could be considered insecure. All these functionalities should be disabled or otherwise controlled to prevent them from compromising the system’s security. Furthermore, the system must enforce those controls on trusted enforcement points such as access control gateways, severs and serverless functions.


  1. CWE-284: Improper Access Control The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

  2. CWE-602: Client-Side Enforcement of Server-Side Security The software is composed of a server that relies on the client to implement a mechanism that is intended to protect the server.

  3. CWE-749: Exposed Dangerous Method or Function The software provides an Applications Programming Interface (API) or similar interface for interaction with external actors, but the interface includes a dangerous method or function that is not properly restricted.

  4. OWASP-ASVS v4.0.1 V1.4 Access Control Architectural Requirements.(1.4.1) Verify that trusted enforcement points such as at access control gateways, servers, and serverless functions enforce access controls. Never enforce access controls on the client.

  5. OWASP-ASVS v4.0.1 V9.1 Communications Security Requirements.(9.1.3) Verify that old versions of SSL and TLS protocols, algorithms, ciphers, and configuration are disabled, such as SSLv2, SSLv3, or TLS 1.0 and TLS 1.1. The latest version of TLS should be the preferred cipher suite.

Service status - Terms of Use