Access codes, tokens or credentials should be removed from client-side applications. If it's needed, the associated service should support Access Control Lists based on the expected origin.
CWE-200: Exposure of Sensitive Information to an Unauthorized Actor: The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CWE-359: Exposure of Private Personal Information to an Unauthorized Actor: The product does not properly prevent a person's private, personal information from being accessed by actors who either are not explicitly authorized to access the information or do not have the implicit consent of the person about whom the information is collected.
CWE-522: Insufficiently Protected Credentials: The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
CWE-540: Inclusion of Sensitive Information in Source Code: Source code on a web server or repository often contains sensitive information and should generally not be accessible to users.
OWASP Top 10 A3:2017-Sensitive Data Exposure: Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser.
OWASP-ASVS v4.0.1 V2.10 Service Authentication Requirements.(2.10.3): Verify that passwords are stored with sufficient protection to prevent offline recovery attacks, including local system access.
GDPR. Art. 5: Principles relating to processing of personal data.(1)(f): Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage.
ISO 27001:2013. Annex A - 18.1.3: Protect records against loss, destruction, forgery, unauthorized access and unauthorized release, in accordance with legal, regulatory, contractual and business requirements.
Directive 2002 58 EC (amended by E-privacy Directive 2009 136 EC). Art. 4: Security of processing.(1a): The measures referred to in paragraph 1 shall at least protect personal data stored or transmitted against accidental or unlawful destruction, accidental loss or alteration, and unauthorized or unlawful storage, processing, access or disclosure.