# Sensitive Field Exposure in API Response

- ID: go-sensitive-field-response-exposure
- Severity: CRITICAL
- CWE: Information Exposure (CWE-200)
- Languages: Go
- Frameworks: gin, echo, fiber, chi, gorilla, net/http

## Description

Sensitive fields like password, token, or apiKey included in HTTP responses.

## Detection Message

Sensitive field '{source}' flows to API response at {sink}.
This exposes sensitive data (passwords, tokens, secrets) to API consumers.

## Remediation

Use response DTOs or json:"-" tag to exclude sensitive fields.

```go
type User struct {
    ID       string `json:"id"`
    Email    string `json:"email"`
    Password string `json:"-"` // Never serialized
}
```

Learn more: https://shoulder.dev/learn/go/cwe-200/sensitive-field-response-exposure

## Documentation

[object Object]

## Related Rules

- **Environment Variable Secret Exposure** [HIGH]: 
- **LLM Model Theft** [HIGH]: 
- **LLM Sensitive Information Disclosure** [HIGH]: 
- **Environment Variable Secret Exposure** [HIGH]: 
- **LLM Model Theft** [HIGH]: