|
|
|
|
|
|
by gcommer
1520 days ago
|
|
|
Plenty of server-rendered apps have been caught putting private data in responses. In this very same comment section people have mentioned the story of a state website that included teacher SSN's in hidden fields[1], and OJFord shared a story of a server that included a full env var dump in error messages[2]. This sort of thing happens all the time to all sorts of services. Rather than just blaming JS, it's far more productive to think of technical controls that could catch this. For example Taint Checking[3] or scanning server responses for API keys. [1]: https://news.ycombinator.com/item?id=31026374 [2]: https://news.ycombinator.com/item?id=31026415 [3]: https://en.wikipedia.org/wiki/Taint_checking |
|
|