CodeClarityLab / Glossary
Ctrl K
← CodeClarityLab Home
Browse by Category
+ added · updated 7d
⚖ Terms of Use
← Back to glossary

Sensitive Data Exposure

security CWE-200 OWASP A2:2021 PHP 5.0+ Beginner

Also Known As

data exposure PII leakage sensitive information disclosure

TL;DR

Passwords, tokens, PII, or financial data exposed in logs, error messages, URLs, or unencrypted storage.

Explanation

Sensitive data exposure covers any case where confidential information is accessible beyond its intended audience — logged passwords, stack traces with database credentials in error pages, session tokens in URLs, unencrypted fields in a database, or API keys committed to source control. Mitigation requires classifying sensitive fields, scrubbing them from logs, using HTTPS everywhere, encrypting at rest, and auditing what appears in error output.

Common Misconception

Encrypting data at rest is sufficient to prevent sensitive data exposure. Data in transit, in logs, in error messages, in backups, and in caches also needs protection — at-rest encryption alone leaves many exposure paths open.

Why It Matters

Exposed PII, credentials, or payment data triggers regulatory penalties (GDPR, PCI-DSS), destroys user trust, and provides attackers with pivot points for further attacks.

Common Mistakes

  • Logging passwords, tokens, or full credit card numbers in application or access logs.
  • Sending sensitive data in URL query strings which appear in server logs and browser history.
  • Returning full user objects from APIs including hashed passwords, internal IDs, or admin flags.
  • Storing unencrypted PII in session data or client-side cookies.

Code Examples

✗ Vulnerable 
// Logging sensitive fields
\$logger->info('Payment', ['card_number' => \$card, 'cvv' => \$cvv]);

// Returning full model in API response
return response()->json(User::find(\$id)); // includes password_hash, SSN...
✓ Fixed 
// PHP 8.2 — #[SensitiveParameter] redacts value in stack traces
function charge(#[\SensitiveParameter] string \$cardNumber): void {}

// API resources — explicit allowlist
class UserResource extends JsonResource {
    public function toArray(\$request): array {
        return [
            'id'    => \$this->id,
            'name'  => \$this->name,
            'email' => \$this->email,
            // password_hash, ssn never included
        ];
    }
}

// Encrypt sensitive fields at rest
\$ssn = Crypt::encryptString(\$rawSsn);

// php.ini production:
// display_errors = Off
// expose_php     = Off
Added 15 Mar 2026
Edited 22 Mar 2026
Views 35

Curated in Warsaw under one editorial standard. 1,444 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
0 pings W 0 pings T 0 pings F 0 pings S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T 0 pings F 1 ping S 2 pings S 0 pings M 1 ping T 3 pings W 0 pings T 0 pings F 2 pings S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T 1 ping F 1 ping S 0 pings S 0 pings M 0 pings T 1 ping W 0 pings T
Agents 0
No pings yet today
Perplexity 10 Amazonbot 8 Ahrefs 6 Unknown AI 3 Google 2 SEMrush 2
Also referenced
Weak Cryptography 27 Log Injection 17
How they use it
crawler 29 crawler_json 1 pre-tracking 1
Related categories
security 4k
DEV INTEL Tools & Severity
🟠 High ⚙ Fix effort: Medium
⚡ Quick Fix
Audit all logs, error messages, API responses, and DB columns — ensure no passwords, tokens, SSNs, or card numbers are stored/transmitted in plaintext
📦 Applies To
PHP 5.0+ web cli queue-worker
🔗 Prerequisites
🔍 Detection Hints
error_log($password or json_encode with password/token fields or SELECT * returning sensitive columns
Auto-detectable: ✗ No semgrep trufflehog
⚠ Related Problems
🤖 AI Agent
Confidence: High False Positives: Medium ✗ Manual fix Fix: Medium Context: File
CWE-311 CWE-312 CWE-200
✓ schema.org compliant