Lets say I have API and it returns customer bank data if customer saved his bank account. For example IBAN, Bank Code, Bank Account. So my API returns this data as it is. In many apps or documents you usually see sensible information being masked like this 123***459.
In my app on frontend I did the same masking. But if you can still read full unmasked data just from my API.
What is the best practice for this? Should I return data like 123***459 from rest api?
CodePudding user response:
I think this is going to be a hard question for people to answer without knowing the full details of your use case. However, here are some ideas to get you thinking:
First of all it's worth mentioning (as you indicate in your post) this is definitely sensitive data that needs to be handled with care. As a guiding principal the bank details must be masked as early as possible.
- Does your API provide bank details when the full details are required?
If the whole purpose of your API is to provide the bank details for use in the masked form then yes you should mask them in the API response.
- Can you use seperate APIs to provide masked and unmasked bank details?
Essentially this is saying that we can make the answer to question 1 no. Then for API that can obtain unmasked bank details can be protected more than the only providing the masked data.
- Are you doing the masking on the client side?
If the answer is yes then it is basically useless as the user (or any malicious actor) can obtain the full bank details from the browser interaction with the API. This needs to be avoided at all costs.