Sensitive Data

Minimize what you collect, encrypt what you keep, never log what you shouldn't.

  • Data minimization — APIs MUST return only fields the client needs. Use explicit response DTOs, never dump database models directly.
  • PII classification — data MUST be classified by sensitivity (public, internal, PII, sensitive PII). Apply controls proportional to tier.
  • Field-level encryption — encrypt highly sensitive fields (SSN, payment info) at the application level with a KMS (AWS KMS, Azure Key Vault, GCP KMS). Separate from database-level encryption.
  • No PII in logs — tokens, passwords, credit card numbers, or PII MUST NOT be logged. Mask/redact in all log outputs, including debug level. See agenticdevelopercookbook://guidelines/implementing/security/privacy
  • No internals in API responses — internal IDs, stack traces, or database error messages MUST NOT be exposed in production. Return generic errors with correlation IDs.
  • Cache-Control: no-store on responses containing sensitive data.

References:

version
1.0.3
platforms
typescript, web
tags
security, sensitive-data
author
Mike Fullerton
modified
2026-06-09
references
cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.htmlcsrc.nist.gov/publications/detail/sp/800-122/final

Change History

Version Date Author Summary
1.0.3 2026-06-09 Mike Fullerton Repair stale cross-reference link scheme
1.0.2 2026-04-09 Mike Fullerton Add trigger tags
1.0.1 2026-04-09 Mike Fullerton Reorganize into use-case directory
1.0.0 2026-03-27 Mike Fullerton Initial creation