Sensitive data exposure occurs when applications fail to adequately protect sensitive information like credentials, tokens, personal data, or financial information.
Sensitive Data Exposure occurs when an application fails to adequately protect sensitive information during storage, transit, or processing. This includes personal data (names, emails, addresses), financial data (credit card numbers, bank accounts), health information, authentication credentials, API keys, and encryption keys.
The vulnerability manifests in many ways: transmitting data in clear text (HTTP instead of HTTPS); storing sensitive data unencrypted; using weak cryptographic algorithms; exposing API keys or secrets in client-side code or version control; including sensitive data in URLs or logs; caching sensitive responses; and leaking information through error messages, metadata, or timing attacks.
Data exposure can lead to identity theft, financial fraud, and regulatory penalties. Under GDPR, organizations can face fines up to 4% of annual global turnover for data protection failures. HIPAA violations can result in fines up to $1.5 million per incident. Beyond regulatory consequences, data breaches severely damage user trust and brand reputation. Exposed credentials and API keys can be used to compromise connected systems, escalating the impact far beyond the initial exposure. Leaked secrets in public repositories are automatically harvested by bots within minutes.
Classify data by sensitivity and apply appropriate protection for each level. Encrypt all data in transit using TLS 1.2+ (enforce HTTPS everywhere). Encrypt sensitive data at rest using AES-256 or equivalent. Never store sensitive data you do not need -- minimize data collection. Never expose secrets in client-side code or version control. Use environment variables for all secrets and rotate them regularly. Implement proper access controls on API responses -- only return the fields the client needs. Use Supabase RLS to enforce data access at the database level. Add secret scanning to your CI/CD pipeline (e.g., GitGuardian, truffleHog). Hash passwords with bcrypt/Argon2 and never store them as plain text.
Select your framework for a detailed guide on fixing Sensitive Data Exposure with framework-specific code examples and security checklists.
Cross-Site Scripting (XSS)
XSS allows attackers to inject malicious scripts into web pages viewed by other users, enabling session hijacking, data theft, and defacement.
SQL Injection
SQL Injection allows attackers to interfere with database queries, potentially reading, modifying, or deleting data, and in some cases executing system commands.
Cross-Site Request Forgery (CSRF)
CSRF forces authenticated users to execute unwanted actions on a web application, exploiting the trust a site has in a user's browser.
Insecure Direct Object References (IDOR)
IDOR occurs when an application exposes internal implementation objects (like database IDs) and fails to verify that users are authorized to access the referenced resource.
Broken Authentication
Broken authentication encompasses weaknesses in session management, credential handling, and identity verification that allow attackers to compromise user accounts.
Security Misconfiguration
Security misconfiguration encompasses insecure default settings, open cloud storage, verbose error messages, unnecessary features, and missing security headers.
Missing Rate Limiting
Missing rate limiting allows attackers to perform brute force attacks, credential stuffing, API abuse, and denial of service by making unlimited requests.
JWT Vulnerabilities
JWT vulnerabilities include algorithm confusion, missing validation, token leakage, and improper key management that can lead to authentication bypass.
Path Traversal
Path traversal allows attackers to access files and directories stored outside the intended directory by manipulating file path references.
Command Injection
Command injection allows attackers to execute arbitrary operating system commands on the server through vulnerable application interfaces.
Server-Side Request Forgery (SSRF)
SSRF allows attackers to induce the server to make HTTP requests to arbitrary destinations, potentially accessing internal services, metadata APIs, and private networks.
File Upload Vulnerabilities
Insecure file upload handling can allow attackers to upload malicious files including web shells, malware, or files that exploit server-side processing.
Insecure Deserialization
Insecure deserialization allows attackers to manipulate serialized objects to achieve remote code execution, replay attacks, injection, or privilege escalation.
Row Level Security (RLS) Bypass
RLS bypass vulnerabilities occur when database-level access policies are missing, misconfigured, or can be circumvented, exposing data across tenant boundaries.
SafeVibe runs automated penetration tests to detect Sensitive Data Exposure and 14 other vulnerability types in your application.
Start Free Scan