CWE-311 Missing Encryption of Sensitive Data
What this means
SiteShadow flagged sensitive data being stored or transmitted without encryption where encryption is expected (tokens, credentials, PII, customer data, backups).
Why it matters
Unencrypted sensitive data can be exposed or intercepted.
- Breach impact increases: stolen data is immediately readable.
- Insider/vendor risk: plaintext data is easier to access in logs, backups, and support tooling.
- Regulatory exposure: many regimes assume encryption at rest/in transit for certain data.
Safer examples
1) Use TLS for data in transit
Use HTTPS for all sensitive endpoints and keep certificate verification enabled (see T01 / CWE-295 / CWE-296).
2) Encrypt sensitive data at rest (when appropriate)
If you must store sensitive values, use vetted libraries and authenticated encryption (AES‑GCM / ChaCha20‑Poly1305) and manage keys securely.
3) Don't "encrypt passwords"
Passwords should be hashed using a password hashing algorithm (Argon2id/scrypt/bcrypt) (see P02 / CWE-256).
How SiteShadow detects it (high level)
- Detects sensitive data flows (password/token/PII-like fields) being persisted or transmitted.
- Flags missing encryption when data is stored to disk/db or sent over insecure channels.
References
- CWE-311: https://cwe.mitre.org/data/definitions/311.html
---