Here are fifteen examples of production app defects (with an emphasis on configuration errors caused by a faulty or overly-simplistic CI/CD pipeline):

1. JavaScript not minified: Leaving JavaScript code unminified in production can expose source code, increase file sizes, and reduce performance due to larger payloads.

2. Swagger interface deployed: Deploying the Swagger interface in production can help hackers discover API routes, understand the API structure, and potentially exploit vulnerabilities.

3. Console log statements: Forgetting to remove console log statements in production code can expose sensitive information, clutter the console output, and impact performance.

4. Debug mode enabled: Leaving debug mode enabled in production environments can provide attackers with detailed error messages, expose sensitive information, and impact application performance.

5. Unencrypted sensitive data: Storing sensitive data (e.g., passwords, API keys) in plain text or without proper encryption can lead to data breaches if the production environment is compromised.

6. Insecure dependencies: Using outdated or vulnerable third-party libraries and dependencies in production can introduce security risks and expose the application to known vulnerabilities.

7. Exposed server configuration files: Accidentally deploying server configuration files (e.g., .htaccess, web.config) can reveal sensitive server settings and create security vulnerabilities.

8. Unoptimized database queries: Inefficient or unoptimized database queries that work in development but are not suitable for production loads can lead to poor performance and slow response times.

9. Unnecessary services and ports: Leaving unnecessary services or ports open in production environments can increase the attack surface and provide entry points for attackers.

10. Hardcoded secrets: Embedding hardcoded secrets (e.g., database credentials, API keys) directly in the codebase can expose them if the code is compromised or accessed by unauthorized individuals.

11. Verbose error messages: Displaying detailed error messages in production can expose sensitive information about the application's internals, helping attackers exploit vulnerabilities.

12. Unvalidated user input: Failing to properly validate and sanitize user input in production can lead to various security vulnerabilities, such as SQL injection or cross-site scripting (XSS) attacks.

13. Insecure communication protocols: Using insecure communication protocols (e.g., HTTP instead of HTTPS) in production can expose sensitive data in transit and make the application vulnerable to eavesdropping and man-in-the-middle attacks.

14. Unrestricted file uploads: Allowing unrestricted file uploads without proper validation and sanitization can enable attackers to upload malicious files and execute arbitrary code on the server.

15. Unprotected admin interfaces: Exposing admin interfaces or privileged functionality without proper authentication and access controls can allow unauthorized access to sensitive features and data.

16. Unoptimized caching: Incorrect caching configurations or not leveraging caching effectively in production can lead to stale data, increased server load, and poor performance.

17. Insecure deserialization: Using insecure deserialization techniques or libraries in production can allow attackers to execute arbitrary code or manipulate serialized objects, leading to remote code execution vulnerabilities.

18. Exposed source code: Accidentally deploying source code files (e.g., .java, .php, .py) to production servers can expose intellectual property and potentially reveal sensitive information or vulnerabilities.

It's crucial to have a robust deployment process that ensures these bad practices are identified and addressed before pushing code to production environments. Implementing security best practices, conducting thorough code reviews, and following secure coding guidelines can help mitigate these risks and ensure a secure and performant production release.