Route returns sensitive PII without setting Cache-Control HTTP header

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Description

This publicly exposed API endpoint returns non-sensitive personally identifiable information (PII) without implementing the Cache-Control header. This header instructs browsers how to cache HTTP responses. Without this header, sensitive API responses might be cached inappropriately, potentially exposing confidential information to unintended users through shared browsers.

What are considered sensitive personally identifiable information (PII)?

Sensitive PII is information that, if inadvertently disclosed, could have significant consequences for the data subject. Sensitive PII data can encompass a wide range of information, including:

  • Health information, which includes medical records or insurance information.
  • Government information, which includes social security information or other government related data.
  • Proprietary information, which includes secrets or intellectual property (IP).

Note: Datadog is only able to detect certain types of PII.

Remediation

Implement the Cache-Control header in all API responses. Use the ’no-store’ value to prevent caching of sensitive data.

Example header values:

Cache-Control: no-store