Sensitive Data Exposure in Cookies in Plaintext

Issue

Sensitive data exposure in cookies in plaintext

Impacted Frameworks and Reasons

GDPR (Articles 5 and 28)

  • Article 5 requires data minimization, purpose limitation, and integrity. Storing personal data in cookies in plaintext increases the risk of unauthorized access and violates these principles.
  • Article 28 requires appropriate safeguards for data handled by processors. Cookies accessible to client side scripts or external domains weaken control.

CCPA and CPRA

  • Requires transparency and control over how personal data is shared and used.
  • If cookies expose personal data to analytics, advertising, or third party services without proper notice or opt out options, this is considered unauthorized sharing.

HIPAA

  • PHI must be protected and restricted to authorized entities.
  • Storing PHI in cookies in plaintext makes it easily accessible to the browser, third party libraries, or network logs, resulting in an unauthorized disclosure.

PCI

  • Cardholder data must never be stored in plaintext in a client side storage location.
  • Cookies containing cardholder data directly violate PCI storage and transmission requirements.

GLBA

  • Requires safeguards to protect customer financial information.
  • Cookies with sensitive financial data increase exposure risk and show insufficient security controls.

PIPEDA

  • Requires secure handling and informed consent for personal data.
  • Sensitive data in cookies without clear disclosure or protection breaks responsible handling requirements.

APPI

  • Requires purpose limitation and confidentiality protections.
  • Plaintext cookies undermine confidentiality and may violate restrictions on external disclosure.

NIST 800 53

  • Emphasizes secure storage, access control, and confidentiality of sensitive information.
  • Plaintext cookies are vulnerable to interception and client side access, weakening confidentiality controls.

ISO IEC 29100

  • Requires accountability, transparency, and strong data protection measures.
  • Storing sensitive data in cookies in plaintext lacks adequate safeguards.

KSA PDPL

  • Requires lawful processing and safeguards to prevent unauthorized disclosure.
  • Cookies accessible to untrusted code or domains increase unauthorized disclosure risk.

UAE PDPL

  • Processing must remain properly protected and aligned with declared purpose.
  • Plaintext cookies risk unintended processing and access.

Qatar PDPPL

  • Requires measures to prevent unauthorized access or disclosure.
  • Storing sensitive data in cookies in plaintext increases the likelihood of exposure.

Avoid storing sensitive data in cookies wherever possible. Use session identifiers or tokens that reference secure server side data instead of embedding sensitive values directly. Document and enforce data handling rules that prohibit plaintext cookie storage.

Type to search, ESC to discard
Type to search, ESC to discard
Type to search, ESC to discard
Next to read:
Sensitive Data Exposure in Local Storage in Plaintext

© 2025 HoundDog.ai, Inc. All rights reserved.

On This Page
Sensitive Data Exposure in Cookies in PlaintextIssueImpacted Frameworks and ReasonsGDPR (Articles 5 and 28)CCPA and CPRAHIPAAPCIGLBAPIPEDAAPPINIST 800 53ISO IEC 29100KSA PDPLUAE PDPLQatar PDPPLRecommended Remediation