Home > Back-end >  What does OWASP mean when they say you should not "send raw responses to clients"?
What does OWASP mean when they say you should not "send raw responses to clients"?

Time:02-10

  • Do not send raw responses to clients

https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_(SSRF)/

What does this refer to? I tried to google, but all I can find is 'raw' as in the full text or stringified. Aren't all HTTP(s) responses 'raw' in this sense, since it's text based?

Or does it mean editing the response to give fake values regarding the server, rather than genuine ones?

CodePudding user response:

I am fairly certain that it means you shouldn't send a response you received from a third party (e.g. an API) directly to the end user.

If you do so it could provide sensitive information to an attacker, or information that could further expose your app.

  • Related