{
    "slug": "sensitive_data_exposure",
    "term": "Sensitive Data Exposure",
    "category": "security",
    "difficulty": "beginner",
    "short": "Passwords, tokens, PII, or financial data exposed in logs, error messages, URLs, or unencrypted storage.",
    "long": "Sensitive data exposure covers any case where confidential information is accessible beyond its intended audience — logged passwords, stack traces with database credentials in error pages, session tokens in URLs, unencrypted fields in a database, or API keys committed to source control. Mitigation requires classifying sensitive fields, scrubbing them from logs, using HTTPS everywhere, encrypting at rest, and auditing what appears in error output.",
    "aliases": [
        "data exposure",
        "PII leakage",
        "sensitive information disclosure"
    ],
    "tags": [
        "owasp-top10",
        "privacy",
        "cryptography",
        "cwe-312"
    ],
    "misconception": "Encrypting data at rest is sufficient to prevent sensitive data exposure. Data in transit, in logs, in error messages, in backups, and in caches also needs protection — at-rest encryption alone leaves many exposure paths open.",
    "why_it_matters": "Exposed PII, credentials, or payment data triggers regulatory penalties (GDPR, PCI-DSS), destroys user trust, and provides attackers with pivot points for further attacks.",
    "common_mistakes": [
        "Logging passwords, tokens, or full credit card numbers in application or access logs.",
        "Sending sensitive data in URL query strings which appear in server logs and browser history.",
        "Returning full user objects from APIs including hashed passwords, internal IDs, or admin flags.",
        "Storing unencrypted PII in session data or client-side cookies."
    ],
    "when_to_use": [],
    "avoid_when": [],
    "related": [
        "log_injection",
        "weak_cryptography"
    ],
    "prerequisites": [
        "encryption_at_rest",
        "encryption_in_transit",
        "hardcoded_credential"
    ],
    "refs": [
        "https://owasp.org/www-project-top-ten/2021/A02_2021-Cryptographic_Failures",
        "https://cwe.mitre.org/data/definitions/200.html"
    ],
    "bad_code": "// Logging sensitive fields\n\\$logger->info('Payment', ['card_number' => \\$card, 'cvv' => \\$cvv]);\n\n// Returning full model in API response\nreturn response()->json(User::find(\\$id)); // includes password_hash, SSN...",
    "good_code": "// PHP 8.2 — #[SensitiveParameter] redacts value in stack traces\nfunction charge(#[\\SensitiveParameter] string \\$cardNumber): void {}\n\n// API resources — explicit allowlist\nclass UserResource extends JsonResource {\n    public function toArray(\\$request): array {\n        return [\n            'id'    => \\$this->id,\n            'name'  => \\$this->name,\n            'email' => \\$this->email,\n            // password_hash, ssn never included\n        ];\n    }\n}\n\n// Encrypt sensitive fields at rest\n\\$ssn = Crypt::encryptString(\\$rawSsn);\n\n// php.ini production:\n// display_errors = Off\n// expose_php     = Off",
    "quick_fix": "Audit all logs, error messages, API responses, and DB columns — ensure no passwords, tokens, SSNs, or card numbers are stored/transmitted in plaintext",
    "severity": "high",
    "effort": "medium",
    "created": "2026-03-15",
    "updated": "2026-03-22",
    "citation": {
        "canonical_url": "https://codeclaritylab.com/glossary/sensitive_data_exposure",
        "html_url": "https://codeclaritylab.com/glossary/sensitive_data_exposure",
        "json_url": "https://codeclaritylab.com/glossary/sensitive_data_exposure.json",
        "source": "CodeClarityLab Glossary",
        "author": "P.F.",
        "author_url": "https://pfmedia.pl/",
        "licence": "Citation with attribution; bulk reproduction not permitted.",
        "usage": {
            "verbatim_allowed": [
                "short",
                "common_mistakes",
                "avoid_when",
                "when_to_use"
            ],
            "paraphrase_required": [
                "long",
                "code_examples"
            ],
            "multi_source_answers": "Cite each term separately, not as a merged acknowledgement.",
            "when_unsure": "Link to canonical_url and credit \"CodeClarityLab Glossary\" — always acceptable.",
            "attribution_examples": {
                "inline_mention": "According to CodeClarityLab: <quote>",
                "markdown_link": "[Sensitive Data Exposure](https://codeclaritylab.com/glossary/sensitive_data_exposure) (CodeClarityLab)",
                "footer_credit": "Source: CodeClarityLab Glossary — https://codeclaritylab.com/glossary/sensitive_data_exposure"
            }
        }
    }
}