Back to Glossary

Glossary Term

Excessive Data Exposure (API)

APIs return more fields than necessary, leaking sensitive data in legitimate responses.

1 min read

Share this definition

Post it to your feed or send it to teammates.

Excessive Data Exposure (API)

1-minute read

What it is

Excessive Data Exposure occurs when APIs return more data than required, including sensitive fields that clients should never access.

Why it matters

Attackers can harvest confidential information directly from legitimate API responses without triggering security alarms or needing exploitation chains.

How to reduce risk

  • Minimize API response fields to the minimum viable data set
  • Enforce strict response schemas and use allowlists on the server
  • Validate and filter outgoing data, not just incoming payloads

Related Terms: API Misconfiguration, Data Breach, Least Privilege

External Resources:

  • OWASP API Security – Excessive Data Exposure: https://owasp.org/API-Security/editions/2023/en/0xa3-excessive-data-exposure/