Remove sensitive data from client-side applications
Summary
Access codes, tokens or credentials should be removed from client-side applications. If its needed, the associated service should support Access Control Lists based on the expected origin.
Description
Storing sensitive information on the client side increases security risks, as it could be exposed, intercepted, or tampered by malicious actors. Also, the Access Control Lists (ACLs) is a useful mechanism used to control access to resources based on specified rules mitigating the risk of unauthorized access to sensitive data.
Supported In
This requirement is verified in following services
| Plan | Supported |
|---|---|
| Essential | 🟢 |
| Advanced | 🟢 |
References
- CWE™-200. Exposure of sensitive information to an unauthorized actor
- ePrivacy Directive-4_1a. Security of processing
- GDPR-5_1f. Principles relating to processing of personal data
- OWASP TOP 10-A2. Cryptographic failures
- SOC2®-C1_1. Additional criteria for confidentiality
- MITRE ATT&CK®-M1043. Credential access protection
- PDPO-S1_4. Security of personal data
- CMMC-CM_L2-3_4_9. User-installed software
- HITRUST CSF-09_p. Disposal of media
- ISO/IEC 27002-8_26. Application security requirements
- OSSTMM3-11_9_1. Data networks security - Configuration controls
- ISSAF-T_19_1. Web application assessment - Global Countermeasures (client-side)
- BSAFSS-SI_1-4. Avoid architectural weaknesses of authentication failure
- SIG Lite-SL_131. Are end user devices used for transmitting, processing or storing scoped data?
- OWASP ASVS-8_2_1. Client-side data protection
- OWASP API Security Top 10-API3. Broken Object Property Level Authorization
- ISO/IEC 27001-8_26. Application security requirements
- CASA-8_2_1. Client-side Data Protection
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.