Unauthenticated route returns non-sensitive PII data

Documentos > Datadog Security > OOTB Rules > Unauthenticated route returns non-sensitive PII data

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Description

The API allows unauthenticated users to access non-sensitive personally identifiable information (PII), which may not be intended.

What are considered non-sensitive personally identifiable information (PII)?

PII is information that can identify a user but, in isolation, could not cause significant harm to a person if leaked or stolen. This information includes full name, email address or phone numbers. Note: Datadog is only able to detect certain types of PII.

Rationale

This finding works by identifying an API that both:

Lacks an authentication mechanism.
Replies with or accepts requests containing email addresses or phone numbers.

Remediation

Validate that the code isn’t expecting the user to be authenticated to have access to this resource (AuthN). In case this API is in fact authenticated, ensure your code is instrumented correctly. Datadog auto-instruments many event types; review your instrumented business logic events.
Validate whether the API is intended to return PII.

References

Reference	Description
OWASP - Authentication Cheat Sheet	Authentication Cheat Sheet: guidance on the best practices in the authentication area.