Remove sensitive data from client-side applications
Summary
Access codes, tokens or credentials should be removed from client-side applications. If its needed, the associated service should support Access Control Lists based on the expected origin.
Description
Storing sensitive information on the client side increases security risks, as it could be exposed, intercepted, or tampered by malicious actors. Also, the Access Control Lists (ACLs) is a useful mechanism used to control access to resources based on specified rules mitigating the risk of unauthorized access to sensitive data.
References
- CWE-200. Exposure of sensitive information to an unauthorized actor
- EPRIVACY-4_1a. Security of processing
- GDPR-5_1f. Principles relating to processing of personal data
- OWASP10-A2. Cryptographic failures
- SOC2-C1_1. Additional criteria for confidentiality
- MITRE-M1043. Credential access protection
- PDPO-S1_4. Security of personal data
- CMMC-CM_L2-3_4_9. User-installed software
- HITRUST-09_p. Disposal of media
- ISO27002-8_26. Application security requirements
- OSSTMM3-11_9_1. Data networks security - Configuration controls
- ISSAF-T_19_1. Web application assessment - Global Countermeasures (client-side)
- BSAFSS-SI_1-4. Avoid architectural weaknesses of authentication failure
- SIGLITE-SL_131. Are end user devices used for transmitting, processing or storing scoped data?
- ASVS-8_2_1. Client-side data protection
- OWASPAPI-API3. Broken Object Property Level Authorization
- ISO27001-8_26. Application security requirements
- CASA-8_2_1. Client-side Data Protection
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan.If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.
Supported In
This requirement is verified in following services
Essential Plan
Advanced Plan