Route returns non-sensitive PII without setting Cache-Control HTTP header

Docs > Datadog Security > OOTB Rules > Route returns non-sensitive PII without setting Cache-Control HTTP header

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Description

This publicly exposed API endpoint returns non-sensitive personally identifiable information (PII) without implementing the Cache-Control header. This header instructs browsers how to cache HTTP responses. Without this header, sensitive API responses might be cached inappropriately, potentially exposing confidential information to unintended users through shared browsers.

What are considered non-sensitive personally identifiable information (PII)?

PII is information that can identify a user but, in isolation, cannot cause significant harm to a person if leaked or stolen. This information includes full name, email address, and phone numbers. Note: Datadog is only able to detect certain types of PII.

Remediation

Implement the Cache-Control header in all API responses. Use the ’no-store’ value to prevent caching of sensitive data.

Example header values:

Cache-Control: no-store