Pii Leakage in Chi with Basic Auth

Chi is a lightweight HTTP client for .NET that allows developers to send requests and handle responses with minimal overhead. When Basic Authentication is used, credentials are typically passed using an Authorization header with a base64-encoded username:password pair. While encoding is not encryption, base64 can be trivially decoded by an attacker who intercepts the traffic or gains access to logs. If API endpoints exposed through Chi do not enforce transport-layer encryption, these credentials—and any PII returned in response bodies or headers—can be exposed in clear text.

In secure API design, endpoints that return personally identifiable information (PII) must require authenticated and authorized access. With Basic Auth alone, there is no inherent mechanism to restrict access based on roles or attributes. An attacker who knows or guesses a valid credential pair can access PII such as email addresses, names, or government identifiers. Even when TLS is used, misconfigurations or deprecated protocols can weaken the protection, enabling credential and PII leakage via packet capture or log exposure.

middleBrick scans unauthenticated attack surfaces and includes Authentication and Data Exposure checks that specifically evaluate how credentials and sensitive data are handled. When scanning a Chi-based API, the tool tests whether PII is returned over unencrypted channels and whether Basic Auth credentials are transmitted securely. The scanner also checks whether responses containing PII are inadvertently cached by intermediaries or exposed through verbose error messages that include stack traces or data fields. These findings map to OWASP API Top 10 controls for Security Misconfiguration and Sensitive Data Exposure, as well as relevant portions of GDPR and HIPAA that regulate how PII must be protected in transit and at rest.

Using OpenAPI specifications with full $ref resolution, middleBrick cross-references declared response schemas with actual runtime data. If an endpoint documented as returning user profile information does not require authentication or uses Basic Auth without additional safeguards, the scan highlights this as a high-risk Data Exposure finding. This helps developers understand that while Chi makes HTTP calls simple, responsibility for securing credential flow and protecting PII remains with the API designer and operator.

To reduce the risk of PII leakage when using Chi with Basic Auth, always enforce HTTPS and avoid sending credentials in environments where they can be logged or intercepted. Use secure storage for credentials and prefer more robust authentication mechanisms when possible. Below are concrete examples of how to implement Basic Auth safely in Chi, with a focus on protecting PII.

Example 1: Basic Auth over HTTPS with secure credential handling

Ensure the request uses HTTPS and credentials are not hard-coded. Store sensitive values using environment variables and validate server certificates.

using System;
using System.Net.Http;
using System.Text;
using System.Threading.Tasks;

class Program
{
    static async Task Main()
    {
        var username = Environment.GetEnvironmentVariable("API_USER");
        var password = Environment.GetEnvironmentVariable("API_PASS");
        var baseAddress = Environment.GetEnvironmentVariable("API_BASE_URL");

        if (string.IsNullOrEmpty(username) || string.IsNullOrEmpty(password) || string.IsNullOrEmpty(baseAddress))
        {
            Console.WriteLine("Missing required environment variables.");
            return;
        }

        var handler = new HttpClientHandler
        {
            // Enforce TLS 1.2 or higher in production environments
            // SslProtocols = System.Security.Authentication.SslProtocols.Tls12
        };

        using var client = new HttpClient(handler)
        {
            BaseAddress = new Uri(baseAddress)
        };

        var authToken = Convert.ToBase64String(Encoding.UTF8.GetBytes($"{username}:{password}"));
        client.DefaultRequestHeaders.Authorization = new System.Net.Http.Headers.AuthenticationHeaderValue("Basic", authToken);

        // Example secure request to an endpoint that may return PII
        var response = await client.GetAsync("/api/v1/user/profile");
        response.EnsureSuccessStatusCode();

        var content = await response.Content.ReadAsStringAsync();
        Console.WriteLine(content);
    }
}

Example 2: Avoid logging credentials and PII

Ensure that logging mechanisms do not capture Authorization headers or response bodies containing PII. Configure logging filters to exclude sensitive fields.

using Microsoft.Extensions.Logging;

// Configure logger to exclude sensitive headers
var loggerFactory = LoggerFactory.Create(builder =>
{
    builder.AddConsole();
    builder.SetMinimumLevel(LogLevel.Warning);
    // In production, filter or redact PII before logging
});

var logger = loggerFactory.CreateLogger<Program>();
// Safe: log only status and path, not headers or body
logger.LogInformation("Request completed with status {StatusCode}", response.StatusCode);

Complementary protections

While these examples focus on Chi and Basic Auth, consider layering protections such as short-lived tokens, mutual TLS, or OAuth2 where feasible. middleBrick’s Pro plan supports continuous monitoring and CI/CD integration, helping you detect regressions in authentication and PII handling before they reach production. The CLI can be used locally to validate configurations:

middlebrick scan https://api.example.com

Findings from the scan can guide targeted fixes and help align implementation with compliance frameworks such as OWASP API Top 10 and GDPR.