Route returns non-sensitive PII data without rate limit

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Description

The API returns non-sensitive personally identifiable information (PII) and does not implement any rate-limiting protection.

What are considered non-sensitive personally identifiable information (PII)?

PII is information that can identify a user but, in isolation, could not cause significant harm to a person if leaked or stolen. This information includes full name, email address or phone numbers. Note: Datadog is only able to detect certain types of PII.

Rationale

This finding works by identifying an API where both of the following conditions are fulfilled:

  • The API replies with or accepts requests containing email addresses or phone numbers.
  • There is no business logic rate-limiting rule associated with this endpoint.

Remediation

  • Validate whether the API is intended to return PII.
  • Set up rate-limiting using a detection rule on this API.