Route returns sensitive PII data without HTTPS
Description
The API transmits sensitive personally identifiable information (PII) over a non encrypted channel.
Sensitive PII is information that, if inadvertently disclosed, could have significant consequences for the data subject.
Sensitive PII data can encompass a wide range of information, including:
- Health information, which includes medical records or insurance information.
- Government information, which includes social security information or other government related data.
- Proprietary information, which includes secrets or intellectual property (IP).
Note: Datadog is only able to detect certain types of PII.
Rationale
This finding works by identifying an API that both:
- Replies with or accepts requests containing one or more of the following:
- Social Security Number (US)
- Social Insurance Number (UK)
- Passport Number
- Vehicle Identification Number
- Uses an HTTP connection, sending data in the clear over the wire
- Validate whether the API is intended to return PII.
- Implement the HTTP Strict Transport Security (HSTS) header to instruct the user’s browser to always request the site over HTTPS.
