Excessive Data Exposure, listed as API3:2019 in the OWASP API Security Top 10, occurs when APIs expose more data than necessary, relying on clients to filter or discard what they don't need. This often happens when APIs return full database objects or sensitive fields like passwords, tokens, or internal IDs, even if the client only displays a small portion. Attackers can easily inspect API responses and extract this data, leading to privacy breaches or further attacks. To prevent this, APIs should limit responses to only the required fields and apply strict data filtering and output validation on the server side.
