Anthropic-Cybersecurity-Skills/skills/testing-for-sensitive-data-exposure/references/api-reference.md

API Reference: Testing for Sensitive Data Exposure

requests Library

TLS Verification

# Check HTTP to HTTPS redirect
resp = requests.get("http://target.com/", allow_redirects=False)

# Check HSTS header
resp = requests.get("https://target.com/")
hsts = resp.headers.get("Strict-Transport-Security", "")

Secret Detection Patterns

Pattern	Regex	Example
AWS Access Key	AKIA[0-9A-Z]{16}	AKIAIOSFODNN7EXAMPLE
Google API Key	AIza[0-9A-Za-z\-_]{35}	AIzaSyA...
Stripe Secret	sk_live_[0-9a-zA-Z]{24,}	sk_live_...
GitHub Token	ghp_[a-zA-Z0-9]{36}	ghp_xxxx...
Private Key	-----BEGIN PRIVATE KEY-----	PEM format

Exposed File Checks

File	Risk
.env	Environment variables with secrets
.git/config	Git configuration (may contain tokens)
config.json	Application configuration
.aws/credentials	AWS access keys
phpinfo.php	Server configuration disclosure

Sensitive API Response Fields

Fields that should never appear in API responses:

• password, password_hash, salt
• ssn, credit_card, cvv
• api_key, secret_key, private_key
• access_token, refresh_token

Cache-Control for Sensitive Pages

Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache

References

• OWASP A02:2021 Cryptographic Failures: https://owasp.org/Top10/A02_2021-Cryptographic_Failures/
• OWASP Sensitive Data Exposure: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/04-Authentication_Testing/
• trufflehog: https://github.com/trufflesecurity/trufflehog
• gitleaks: https://github.com/gitleaks/gitleaks