Route returns sensitive PII data without HTTPS

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Description

The API transmits sensitive personally identifiable information (PII) over a non encrypted channel.

What are considered sensitive personally identifiable information (PII)?

Sensitive PII is information that, if inadvertently disclosed, could have significant consequences for the data subject. Sensitive PII data can encompass a wide range of information, including:

  • Health information, which includes medical records or insurance information.
  • Government information, which includes social security information or other government related data.
  • Proprietary information, which includes secrets or intellectual property (IP).

Note: Datadog is only able to detect certain types of PII.

Rationale

This finding works by identifying an API that both:

  • Replies with or accepts requests containing one or more of the following:
    • Social Security Number (US)
    • Social Insurance Number (UK)
    • Passport Number
    • Vehicle Identification Number
  • Uses an HTTP connection, sending data in the clear over the wire

Remediation

  • Validate whether the API is intended to return PII.
  • Implement the HTTP Strict Transport Security (HSTS) header to instruct the user’s browser to always request the site over HTTPS.