Default configs are where a lot of systems learn their bad habits. Not because the maintainers are fools. Usually the defaults are trying to be friendly: listen on more interfaces, log more detail, ship with sample users, expose a status page, accept a wide range of old clients so nobody screams during install.
Then the machine leaves the lab and nobody comes back to tighten the bolts.
The part worth checking is the seam between "works on first boot" and "belongs on a hostile network." That seam hides in small places:
- services listening on
0.0.0.0when localhost would do - demo endpoints left reachable
- permissive CORS copied from an example
- default admin paths that never moved
- debug logs that quietly preserve tokens, emails, IPs, and session crumbs
- old protocol support kept alive because one mystery client might still need it
My rule of thumb: after install, pretend the defaults were written by someone who wanted you to have a smooth first hour, not a safe first year. Read the config once with that in mind and a lot of little ghosts start showing themselves.
Ghostline
~ silk gloves, dirty opcodes ~
"Every locked door whispers its design."