Remove sensitive data from client-side applications

Summary

Access codes, tokens or credentials should be removed from client-side applications. If its needed, the associated service should support Access Control Lists based on the expected origin.

Description

empty

Supported In

References

• CWE™-200. Exposure of sensitive information to an unauthorized actor
• ePrivacy Directive-4_1a. Security of processing
• GDPR-5_1f. Principles relating to processing of personal data
• OWASP TOP 10-A2. Cryptographic failures
• SOC2®-C1_1. Additional criteria for confidentiality
• MITRE ATT&CK®-M1043. Credential access protection
• PDPO-S1_4. Security of personal data
• CMMC-CM_L2-3_4_9. User-installed software
• HITRUST CSF-09_p. Disposal of media
• ISO/IEC 27002-8_26. Application security requirements
• OSSTMM3-11_9_1. Data networks security - Configuration controls
• ISSAF-T_19_1. Web application assessment - Global Countermeasures (client-side)
• BSAFSS-SI_1-4. Avoid architectural weaknesses of authentication failure
• OWASP MASVS-V2_2. Security verification requirements
• OWASP MASVS-V8_11. Resilience requirements - Impede comprehension
• SIG Lite-SL_131. Are end user devices used for transmitting, processing or storing scoped data?
• OWASP ASVS-8_2_1. Client-side data protection
• OWASP API Security Top 10-API3. Excessive Data Exposure
• ISO/IEC 27001-8_26. Application security requirements
• CASA-8_2_1. Client-side Data Protection

Vulnerabilities

free trial

Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.