Route returns non-sensitive PII data without HTTPS

Docs > Datadog Security > OOTB Rules > Route returns non-sensitive PII data without HTTPS

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Description

The API transmits non-sensitive personally identifiable information (PII) over a non-encrypted channel.

What are considered non-sensitive personally identifiable information (PII)?

PII is information that can identify a user but, in isolation, could not cause significant harm to a person if leaked or stolen. This information includes full name, email address or phone numbers. Note: Datadog is only able to detect certain types of PII.

Rationale

This finding works by identifying an API that both:

Replies with or accepts requests containing email addresses or phone numbers.
Uses an HTTP connection, sending data in the clear over the wire

Remediation

Validate whether the API is intended to return PII.
Implement the HTTP Strict Transport Security (HSTS) header to instruct the user’s browser to always request the site over HTTPS.