Skip to content

PATTERN Cited by 1 source

Safe by default

Safe by default is the principle that security-critical behaviors should be enabled out of the box, requiring operators to explicitly opt out for the narrow cases where the safeguard doesn't apply — rather than requiring operators to discover and opt in to every protection.

BGP example: First AS enforcement

Cloudflare's 2026 measurement study demonstrated that First AS enforcement adoption correlates directly with vendor defaults:

  • Cisco IOS-XR, Nokia SR-OS, FRRouting — enforce by default → their operators are protected automatically.
  • Juniper Junos, OpenBGPD, BIRD — do NOT enforce by default → operators must manually enable it, and many don't.

The majority of Tier 1 networks failing the First AS check ran Juniper, showing that vendor defaults define the security posture of the Internet backbone. (Source: sources/2026-06-03-cloudflare-enforcing-the-first-as-in-bgp-as-paths)

General principle

The pattern applies broadly:

  • TLS: modern web servers default to TLS 1.2+ with strong ciphers; operators disable for legacy compatibility.
  • Firewall: default-deny with explicit allowlisting.
  • RFC 8212: BGP implementations SHOULD require explicit export policy before sending any routes to eBGP peers.

Trade-off

Changing longstanding defaults risks breaking existing deployments (especially IX route-server sessions for First AS). Vendors need graceful migration paths — but the alternative (insecure-by-default) leaves operators unknowingly exposed.

Seen in

Last updated · 542 distilled / 1,571 read