CodeClarityLab / Glossary
Ctrl K
← Home ← Codex ← DEBT
Browse by Category
+ added · updated 7d
Pages
Terms of Use About Contribute 🧠Logic graph Contact
← Back to glossary

Sensitive Data Exposure

Security CWE-200 OWASP A2:2021 PHP 5.0+ Beginner
debt(d8/e6/b6/t6)
d8 Detectability Operational debt — how invisible misuse is to your safety net

Closest to 'silent in production until users hit it' (d9), slightly better at d8 because semgrep and trufflehog can catch some patterns (hardcoded secrets, obvious password logging), but most exposure paths (verbose API responses, URL params, cache contents) remain invisible until a breach or audit.

e6 Effort Remediation debt — work required to fix once spotted

Closest to 'cross-cutting refactor across the codebase' (e7), slightly better at e6 because the quick_fix explicitly says to audit logs, error messages, API responses, and DB columns — touching many files across multiple concerns (logging config, API serializers, schema, session handling).

b6 Burden Structural debt — long-term weight of choosing wrong

Closest to 'persistent productivity tax' (b5), bumped to b6 because applies_to spans web/cli/queue-worker contexts and every new feature handling user data must re-evaluate exposure paths (logs, responses, storage, transit), shaping ongoing design decisions.

t6 Trap Cognitive debt — how counter-intuitive correct behaviour is

Closest to 'serious trap' (t7), slightly better at t6 because the misconception (encryption-at-rest is sufficient) is a widespread and dangerous wrong intuition — developers genuinely believe checking the encryption box solves exposure, missing logs/transit/backup/cache paths.

About DEBT scoring → scored by claude-opus-4-7 · 2026-05-11 · reviewed by human

Also Known As

data exposure PII leakage sensitive information disclosure

TL;DR

Passwords, tokens, PII, or financial data exposed in logs, error messages, URLs, or unencrypted storage.

Explanation

Sensitive data exposure covers any case where confidential information is accessible beyond its intended audience — logged passwords, stack traces with database credentials in error pages, session tokens in URLs, unencrypted fields in a database, or API keys committed to source control. Mitigation requires classifying sensitive fields, scrubbing them from logs, using HTTPS everywhere, encrypting at rest, and auditing what appears in error output.

Common Misconception

Encrypting data at rest is sufficient to prevent sensitive data exposure. Data in transit, in logs, in error messages, in backups, and in caches also needs protection — at-rest encryption alone leaves many exposure paths open.

Why It Matters

Exposed PII, credentials, or payment data triggers regulatory penalties (GDPR, PCI-DSS), destroys user trust, and provides attackers with pivot points for further attacks.

Common Mistakes

  • Logging passwords, tokens, or full credit card numbers in application or access logs.
  • Sending sensitive data in URL query strings which appear in server logs and browser history.
  • Returning full user objects from APIs including hashed passwords, internal IDs, or admin flags.
  • Storing unencrypted PII in session data or client-side cookies.

Code Examples

✗ Vulnerable 
// Logging sensitive fields
$logger->info('Payment', ['card_number' => $card, 'cvv' => $cvv]);

// Returning full model in API response
return response()->json(User::find($id)); // includes password_hash, SSN...
✓ Fixed 
// PHP 8.2 — #[SensitiveParameter] redacts value in stack traces
function charge(#[\SensitiveParameter] string $cardNumber): void {}

// API resources — explicit allowlist
class UserResource extends JsonResource {
    public function toArray($request): array {
        return [
            'id'    => $this->id,
            'name'  => $this->name,
            'email' => $this->email,
            // password_hash, ssn never included
        ];
    }
}

// Encrypt sensitive fields at rest
$ssn = Crypt::encryptString($rawSsn);

// php.ini production:
// display_errors = Off
// expose_php     = Off
Added 15 Mar 2026
Edited 12 Jun 2026
Views 77

Curated in Warsaw under one editorial standard. 1,506 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
0 pings T 0 pings W 1 ping T 0 pings F 0 pings S 0 pings S 0 pings M 0 pings T 3 pings W 2 pings T 2 pings F 1 ping S 5 pings S 6 pings M 1 ping T 0 pings W 0 pings T 1 ping F 1 ping S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T 1 ping F 0 pings S 1 ping S 1 ping M 0 pings T 0 pings W
Agents 0
No pings yet today
No pings yesterday
Scrapy 18 Perplexity 10 Amazonbot 10 Ahrefs 8 SEMrush 5 Google 4 Unknown AI 3 Claude 2 Bing 2 Meta AI 1 PetalBot 1
Also referenced
Weak Cryptography 66 Log Injection 41
How they use it
crawler 60 crawler_json 3 pre-tracking 1
Related categories
security 7.9k
DEV INTEL Tools & Severity
🟠 High ⚙ Fix effort: Medium
⚡ Quick Fix
Audit all logs, error messages, API responses, and DB columns — ensure no passwords, tokens, SSNs, or card numbers are stored/transmitted in plaintext
📦 Applies To
PHP 5.0+ web cli queue-worker
🔗 Prerequisites
🔍 Detection Hints
error_log($password or json_encode with password/token fields or SELECT * returning sensitive columns
Auto-detectable: ✗ No semgrep trufflehog
⚠ Related Problems
🤖 AI Agent
Confidence: High False Positives: Medium ✗ Manual fix Fix: Medium Context: File
CWE-311 CWE-312 CWE-200
✓ schema.org compliant