Sensitive Data Exposure
Description
This vulnerability occurs when sensitive information such as API keys, authentication tokens, database credentials, encryption keys, or other secrets are inadvertently exposed through client-accessible resources. Common exposure points include JavaScript files, HTML source code, HTTP response headers, error messages, or configuration files. When secrets are embedded in client-side code or publicly accessible locations, they become visible to anyone who inspects the application, creating a significant security risk.
Remediation
Take immediate action to mitigate this vulnerability:
1. Revoke compromised secrets immediately: Invalidate all exposed API keys, tokens, and credentials, then generate new ones. Assume any exposed secret has been compromised.
2. Remove secrets from client-side code: Never embed secrets in JavaScript, HTML, or any files served to clients. Move all sensitive credentials to server-side code or secure configuration management systems.
3. Use environment variables: Store secrets in environment variables or secure secret management services (e.g., AWS Secrets Manager, Azure Key Vault, HashiCorp Vault) rather than hardcoding them.
Example of secure secret handling:
// Insecure - DO NOT DO THIS const apiKey = 'sk_live_abc123xyz789'; // Secure - Server-side only const apiKey = process.env.API_KEY; // Ensure .env files are in .gitignore
4. Implement code scanning: Use automated tools to scan repositories for accidentally committed secrets before deployment.
5. Apply principle of least privilege: Ensure secrets have minimal necessary permissions to limit potential damage from exposure.