'How design API URLs to comply with GDPR and OWASP and avoid Personal Identifiable Information in URL
Personal Identifiable Information (PII) should be considered sensitive information and OWASP states that sensitive data should not be part of the URL. https://owasp-aasvs.readthedocs.io/en/latest/requirement-9.1.html
GDPR states that "an online identifier" identifying a person directly or indirectly is PII. https://gdpr.eu/article-4-definitions/
An API providing user preferences where a resource item could look like:
{
"id": "abc123" //generated id
"language": "en_EN",
"favoriteColor": "BLUE",
"userId": "[email protected]"
}
Would it then be ok for an API to have a link to this resource?
https://example.com/user-preferences/abc123
From my understanding this would be an example of an indirect online identifier. Does that mean the id needs to be encrypted? And if that is the case - does that mean each encryption of the id (i.e every time a URL is provided from the API) must encrypted with a different salt to avoid introducing a new indirect identifier?
Different URLs for the same resource:
https://example.com/user-preferences/87wytu09ufwc2ercler4ri // abc123 encrypted with salt A
https://example.com/user-preferences/diu4w98iuywfgommbvwdxe // abc123 encrypted with salt B
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|