Route returns non-sensitive PII data without HTTPS

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Description

The API transmits non-sensitive personally identifiable information (PII) over a non-encrypted channel.

What are considered non-sensitive personally identifiable information (PII)?

PII is information that can identify a user but, in isolation, could not cause significant harm to a person if leaked or stolen. This information includes full name, email address or phone numbers. Note: Datadog is only able to detect certain types of PII.

Rationale

This finding works by identifying an API that both:

  • Replies with or accepts requests containing email addresses or phone numbers.
  • Uses an HTTP connection, sending data in the clear over the wire

Remediation

  • Validate whether the API is intended to return PII.
  • Implement the HTTP Strict Transport Security (HSTS) header to instruct the user’s browser to always request the site over HTTPS.