---
title: Unauthenticated route returns non-sensitive PII data
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > Unauthenticated route returns
  non-sensitive PII data
---

# Unauthenticated route returns non-sensitive PII data
 
## Description{% #description %}

The API allows unauthenticated users to access non-sensitive personally identifiable information (PII), which may not be intended.

### What are considered non-sensitive personally identifiable information (PII)?{% #what-are-considered-non-sensitive-personally-identifiable-information-pii %}

PII is information that can identify a user but, in isolation, could not cause significant harm to a person if leaked or stolen. This information includes full name, email address or phone numbers. **Note**: Datadog is only able to detect certain types of PII.

## Rationale{% #rationale %}

This finding works by identifying an API that both:

- Lacks an [authentication mechanism](https://docs.datadoghq.com/security/application_security/api-inventory/#endpoint-authentication).
- Replies with or accepts requests containing email addresses or phone numbers.

## Remediation{% #remediation %}

- Validate that the code isn't expecting the user to be authenticated to have access to this resource (AuthN). In case this API is in fact authenticated, ensure your code is [instrumented correctly](https://docs.datadoghq.com/security/application_security/how-it-works/add-user-info). Datadog auto-instruments many event types; [review](https://app.datadoghq.com/security/appsec/business-logic) your instrumented business logic events.
- Validate whether the API is intended to return PII.

### References{% #references %}

| Reference                                                                                                            | Description                                                                            |
| -------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------- |
| [OWASP - Authentication Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html) | Authentication Cheat Sheet: guidance on the best practices in the authentication area. |