[{"data":1,"prerenderedAt":290},["ShallowReactive",2],{"blog-vulnerabilities/sensitive-data-exposure":3},{"id":4,"title":5,"body":6,"category":269,"date":270,"dateModified":271,"description":272,"draft":273,"extension":274,"faq":275,"featured":273,"headerVariant":276,"image":275,"keywords":275,"meta":277,"navigation":278,"ogDescription":279,"ogTitle":275,"path":280,"readTime":281,"schemaOrg":282,"schemaType":283,"seo":284,"sitemap":285,"stem":286,"tags":287,"twitterCard":288,"__hash__":289},"blog/blog/vulnerabilities/sensitive-data-exposure.md","Sensitive Data Exposure Explained",{"type":7,"value":8,"toc":250},"minimark",[9,16,21,24,59,63,68,83,87,96,105,109,118,122,131,135,138,147,151,155,164,168,171,175,184,188,197,219,238],[10,11,12],"tldr",{},[13,14,15],"p",{},"Sensitive data exposure occurs when applications fail to protect confidential information like passwords, credit cards, personal data, or health records. This happens through unencrypted transmission (no HTTPS), improper storage (plain text passwords), oversharing in API responses, or inadequate access controls. Protect sensitive data with encryption (TLS for transit, AES for storage), minimize data collection, and never return more data than needed.",[17,18,20],"h2",{"id":19},"what-is-sensitive-data-exposure","What Is Sensitive Data Exposure?",[13,22,23],{},"Sensitive data exposure is a broad category covering any situation where confidential information becomes accessible to unauthorized parties. This includes:",[25,26,27,35,41,47,53],"ul",{},[28,29,30,34],"li",{},[31,32,33],"strong",{},"Personal Identifiable Information (PII):"," Names, addresses, phone numbers, SSNs",[28,36,37,40],{},[31,38,39],{},"Financial data:"," Credit card numbers, bank accounts, transaction history",[28,42,43,46],{},[31,44,45],{},"Authentication data:"," Passwords, session tokens, API keys",[28,48,49,52],{},[31,50,51],{},"Health information:"," Medical records, prescriptions, diagnoses",[28,54,55,58],{},[31,56,57],{},"Business secrets:"," Internal documents, algorithms, customer lists",[17,60,62],{"id":61},"how-data-gets-exposed","How Data Gets Exposed",[64,65,67],"h3",{"id":66},"_1-no-https-data-in-transit","1. No HTTPS (Data in Transit)",[69,70,72],"code-block",{"label":71},"Unencrypted transmission",[73,74,79],"pre",{"className":75,"code":77,"language":78},[76],"language-text","// User submits login form over HTTP\n// Anyone on the network can see:\nPOST http://yoursite.com/login\nContent-Type: application/x-www-form-urlencoded\n\nemail=user@example.com&password=secret123\n\n// This is visible to:\n// - ISPs, network operators\n// - Anyone on the same WiFi\n// - Government surveillance\n","text",[80,81,77],"code",{"__ignoreMap":82},"",[64,84,86],{"id":85},"_2-api-oversharing","2. API Oversharing",[69,88,90],{"label":89},"Returning too much data",[73,91,94],{"className":92,"code":93,"language":78},[76],"// VULNERABLE: Returns entire user object\napp.get('/api/users/:id', async (req, res) => {\n const user = await db.user.findUnique({ where: { id: req.params.id } });\n res.json(user);\n});\n\n// Response includes sensitive fields:\n{\n \"id\": 123,\n \"email\": \"user@example.com\",\n \"name\": \"John Doe\",\n \"passwordHash\": \"$2b$12$...\", // Should never expose!\n \"ssn\": \"123-45-6789\", // Definitely not!\n \"creditCard\": \"4111111111111111\", // Catastrophic!\n \"internalNotes\": \"VIP customer\" // Business sensitive\n}\n",[80,95,93],{"__ignoreMap":82},[69,97,99],{"label":98},"SECURE: Select only needed fields",[73,100,103],{"className":101,"code":102,"language":78},[76],"app.get('/api/users/:id', async (req, res) => {\n const user = await db.user.findUnique({\n where: { id: req.params.id },\n select: {\n id: true,\n name: true,\n avatarUrl: true\n // Only public fields\n }\n });\n res.json(user);\n});\n",[80,104,102],{"__ignoreMap":82},[64,106,108],{"id":107},"_3-logging-sensitive-data","3. Logging Sensitive Data",[69,110,112],{"label":111},"Accidentally logging secrets",[73,113,116],{"className":114,"code":115,"language":78},[76],"// DANGEROUS: Logging request bodies\napp.use((req, res, next) => {\n console.log('Request:', JSON.stringify(req.body));\n // Logs passwords, credit cards, etc.\n next();\n});\n\n// DANGEROUS: Logging user objects\nconsole.log('User logged in:', user);\n// May include sensitive fields\n",[80,117,115],{"__ignoreMap":82},[64,119,121],{"id":120},"_4-client-side-storage","4. Client-Side Storage",[69,123,125],{"label":124},"Storing sensitive data in browser",[73,126,129],{"className":127,"code":128,"language":78},[76],"// VULNERABLE: Sensitive data in localStorage\nlocalStorage.setItem('user', JSON.stringify({\n id: 123,\n email: 'user@example.com',\n creditCard: '4111111111111111' // Never store this client-side!\n}));\n\n// Anyone with browser access can see this\n// XSS attacks can steal this data\n",[80,130,128],{"__ignoreMap":82},[17,132,134],{"id":133},"data-exposure-in-vibe-coded-apps","Data Exposure in Vibe-Coded Apps",[13,136,137],{},"AI-generated code often returns complete database records without filtering:",[139,140,141],"warning-box",{},[13,142,143,146],{},[31,144,145],{},"Common AI patterns that leak data:"," Returning full user objects from login, including all fields in list views, logging full request/response bodies, and storing user data in localStorage without filtering.",[17,148,150],{"id":149},"how-to-prevent-data-exposure","How to Prevent Data Exposure",[64,152,154],{"id":153},"_1-always-use-https","1. Always Use HTTPS",[69,156,158],{"label":157},"Enforce HTTPS in Next.js",[73,159,162],{"className":160,"code":161,"language":78},[76],"// next.config.js\nconst securityHeaders = [\n {\n key: 'Strict-Transport-Security',\n value: 'max-age=63072000; includeSubDomains; preload'\n }\n];\n\nmodule.exports = {\n async headers() {\n return [{ source: '/:path*', headers: securityHeaders }];\n }\n};\n",[80,163,161],{"__ignoreMap":82},[64,165,167],{"id":166},"_2-minimize-data-collection","2. Minimize Data Collection",[13,169,170],{},"Only collect data you actually need. If you don't store it, you can't leak it.",[64,172,174],{"id":173},"_3-use-dtos-data-transfer-objects","3. Use DTOs (Data Transfer Objects)",[69,176,178],{"label":177},"Create response shapes",[73,179,182],{"className":180,"code":181,"language":78},[76],"// Define what data can be returned\ninterface PublicUserDTO {\n id: string;\n name: string;\n avatarUrl: string;\n}\n\nfunction toPublicUser(user: User): PublicUserDTO {\n return {\n id: user.id,\n name: user.name,\n avatarUrl: user.avatarUrl\n };\n}\n\n// Use in API\napp.get('/api/users/:id', async (req, res) => {\n const user = await getUser(req.params.id);\n res.json(toPublicUser(user));\n});\n",[80,183,181],{"__ignoreMap":82},[64,185,187],{"id":186},"_4-encrypt-sensitive-data-at-rest","4. Encrypt Sensitive Data at Rest",[69,189,191],{"label":190},"Field-level encryption",[73,192,195],{"className":193,"code":194,"language":78},[76],"import crypto from 'crypto';\n\nconst ENCRYPTION_KEY = process.env.ENCRYPTION_KEY;\n\nfunction encrypt(text: string): string {\n const iv = crypto.randomBytes(16);\n const cipher = crypto.createCipheriv('aes-256-cbc', ENCRYPTION_KEY, iv);\n let encrypted = cipher.update(text, 'utf8', 'hex');\n encrypted += cipher.final('hex');\n return iv.toString('hex') + ':' + encrypted;\n}\n\n// Store SSN encrypted\nawait db.user.create({\n data: {\n name: 'John Doe',\n ssnEncrypted: encrypt(ssn)\n }\n});\n",[80,196,194],{"__ignoreMap":82},[198,199,200,207,213],"faq-section",{},[201,202,204],"faq-item",{"question":203},"What counts as sensitive data?",[13,205,206],{},"Passwords, financial information, social security numbers, health records, authentication tokens, and any personal data that could identify an individual or cause harm if exposed.",[201,208,210],{"question":209},"Is HTTPS enough to protect data?",[13,211,212],{},"HTTPS protects data in transit but not at rest or in your application logic. You also need proper access controls, encryption for stored data, and careful handling in your code.",[201,214,216],{"question":215},"Do I need to encrypt all data in my database?",[13,217,218],{},"Not all data, but highly sensitive fields (SSN, credit cards, health info) should be encrypted at the application level. Regular data is typically protected by database access controls and backups encryption.",[220,221,222,228,233],"related-articles",{},[223,224],"related-card",{"description":225,"href":226,"title":227},"Credential exposure","/blog/vulnerabilities/exposed-api-keys","Exposed API Keys",[223,229],{"description":230,"href":231,"title":232},"Data protection compliance","/blog/checklists/gdpr-checklist","GDPR Checklist",[223,234],{"description":235,"href":236,"title":237},"Detection gaps","/blog/vulnerabilities/insufficient-logging","Insufficient Logging",[239,240,243,247],"cta-box",{"href":241,"label":242},"/","Start Free Scan",[17,244,246],{"id":245},"find-data-exposure-issues","Find Data Exposure Issues",[13,248,249],{},"Our scanner detects sensitive data in API responses and client-side code.",{"title":82,"searchDepth":251,"depth":251,"links":252},2,[253,254,261,262,268],{"id":19,"depth":251,"text":20},{"id":61,"depth":251,"text":62,"children":255},[256,258,259,260],{"id":66,"depth":257,"text":67},3,{"id":85,"depth":257,"text":86},{"id":107,"depth":257,"text":108},{"id":120,"depth":257,"text":121},{"id":133,"depth":251,"text":134},{"id":149,"depth":251,"text":150,"children":263},[264,265,266,267],{"id":153,"depth":257,"text":154},{"id":166,"depth":257,"text":167},{"id":173,"depth":257,"text":174},{"id":186,"depth":257,"text":187},{"id":245,"depth":251,"text":246},"vulnerabilities","2026-01-22","2026-02-11","Sensitive data exposure happens when personal, financial, or confidential information isn't properly protected. Learn how data leaks happen and how to secure user data.",false,"md",null,"red",{},true,"Learn how sensitive data gets exposed and how to protect user information in your app.","/blog/vulnerabilities/sensitive-data-exposure","8 min read","[object Object]","TechArticle",{"title":5,"description":272},{"loc":280},"blog/vulnerabilities/sensitive-data-exposure",[],"summary_large_image","iXNB6CjuQ-0BXUz9f1hqxg03uedyFKTTQ14bv3zJpLo",1775843926447]