OWASP API security – 3: Excessive data exposure

Excessive data exposure in APIs occurs when sensitive information such as email addresses or personally identifiable information is unintentionally included in responses, potentially allowing attackers to exploit this data. API developers often rely on clients to filter out such sensitive information, a practice that can lead to data being inadvertently exposed during transmission or accessed by unauthorized users. To mitigate this risk, APIs should be designed to either exclude sensitive data from responses or present it in a redacted form, ensuring that the responsibility for data protection does not fall solely on the client. API gateways can assist by transforming and validating data to prevent exposure, with tools like Tyk offering features to redact sensitive data within JSON or XML responses and enforce schema validation in GraphQL environments. These strategies emphasize securing data at its origin and provide mechanisms to control data access at a granular level, contributing to a more robust defense against excessive data exposure vulnerabilities.