Route returns non-sensitive PII data without rate limit

Docs > Datadog Security > OOTB Rules > Route returns non-sensitive PII data without rate limit

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Description

The API returns non-sensitive personally identifiable information (PII) and does not implement any rate-limiting protection.

What are considered non-sensitive personally identifiable information (PII)?

PII is information that can identify a user but, in isolation, could not cause significant harm to a person if leaked or stolen. This information includes full name, email address or phone numbers. Note: Datadog is only able to detect certain types of PII.

Rationale

This finding works by identifying an API where both of the following conditions are fulfilled:

The API replies with or accepts requests containing email addresses or phone numbers.
There is no business logic rate-limiting rule associated with this endpoint.

Remediation

Validate whether the API is intended to return PII.
Set up rate-limiting using a detection rule on this API.