# Sensitive Field Exposure in API Response

- ID: javascript-sensitive-field-response-exposure
- Severity: CRITICAL
- CWE: Information Exposure (CWE-200)
- Languages: JavaScript, TypeScript
- Frameworks: express, fastify, nextjs, nestjs, koa, hapi, nodejs

## Description

Detects when sensitive data fields (passwords, tokens, secrets, API keys) are
exposed through API endpoint responses. This commonly happens when:

1. Mapping user data with sensitive fields: `.map(u => ({ password: u.password }))`
2. Returning entire user objects: `res.json(user)` where user has password field
3. Including sensitive fields in response objects: `res.json({ password: user.password })`

This is particularly dangerous when AI-generated code returns user collections
without filtering sensitive fields, as in debug endpoints or admin panels.

Security Impact:
- Password hash exposure enabling offline cracking attacks
- API key/token leakage allowing account takeover
- Session token exposure enabling session hijacking
- PII disclosure violating privacy regulations (GDPR, CCPA)

## Detection Message

Sensitive field '{source}' flows to API response at {sink}.
This exposes sensitive data (passwords, tokens, secrets) to API consumers.

## Remediation

Use explicit field selection to exclude sensitive data from responses:

```javascript
app.get('/api/user/:id', async (req, res) => {
  const user = await User.findById(req.params.id);
  const { password, refreshToken, ...safeUser } = user;
  res.json(safeUser);
});
```

Learn more: https://shoulder.dev/learn/javascript/cwe-200/sensitive-field-response-exposure

## Documentation

[object Object]

## Related Rules

- **Environment Variable Secret Exposure** [HIGH]: 
- **LLM Model Theft** [HIGH]: 
- **LLM Sensitive Information Disclosure** [HIGH]: 
- **Sensitive Field Exposure in API Response** [CRITICAL]: 
- **Environment Variable Secret Exposure** [HIGH]: