Pii Leakage in Chi with Mutual Tls
Pii Leakage in Chi with Mutual Tls — how this specific combination creates or exposes the vulnerability
Pii Leakage in a Chi application that uses Mutual TLS (mTLS) often stems from misconfiguration at the transport layer and application-level handling of identity. Even when both client and server present certificates, sensitive data can still be exposed if the server does not properly validate the client identity before processing or logging request details. For example, if a Chi route logs headers, query parameters, or the request body without filtering fields like email or national ID, and those values are tied to the authenticated principal, the logs or responses may inadvertently expose Pii. Another scenario occurs when mTLS is enforced but route-level authorization is missing or incomplete; an authenticated client might access another client’s data through IDOR, where the server incorrectly associates a resource ID with the wrong principal despite valid client certificates. The presence of mTLS can create a false sense of security, leading developers to skip additional checks such as input validation and strict schema enforcement. Without these, an attacker can supply malformed payloads that trigger verbose error messages or stack traces containing Pii. Additionally, if the server serializes responses that include sensitive fields—such as embedding user profiles or tokens in JSON—and those responses are cached or logged, the Pii is exposed. In Chi, this often manifests through improper use of context values or middleware that propagate authenticated client details without sanitization. Because mTLS binds a certificate to a principal, any leakage in how that principal’s data is handled becomes more impactful: the authenticated identity links directly to the Pii, making the exposure a clear confidentiality violation under frameworks like OWASP API Top 10 and GDPR.
Mutual Tls-Specific Remediation in Chi — concrete code fixes
To reduce Pii leakage risk in Chi with mTLS, enforce strict separation between authenticated identity and data handling, and validate all inputs and outputs. Below are concrete code examples for a Chi application using mutual TLS with certificate verification and safe route handling.
1. Configure mTLS in Chi routes
Ensure the server verifies client certificates and extracts identity without exposing raw certificate fields in logs. Use ring_tls or equivalent to terminate TLS and validate peer certificates before routing.
(ns myapp.core
(:require [cheshire.core :as json]
[ring.middleware.ssl :refer [wrap-ssl-redirect]]))
(defn authenticated-routes [handler]
(wrap-ssl-redirect handler))
(defn verify-client-cert [request]
(let [client-cert (get-in request [:ssl-client-cert :subject])]
(if (and client-cert (valid-certificate? client-cert))
(assoc request :client-identity (:common-name client-cert))
(throw (Exception. "Unauthorized")))))
(def app
(-> (routes
(GET "/profile" request
(let [identity (:client-identity (verify-client-cert request))
profile (get-profile-for-identity identity)]
(-> profile
(dissoc :ssn :api-key) ; explicitly remove Pii
(json/generate-string)))))
(wrap-ssl-redirect)
(wrap-params)))
2. Avoid logging or echoing Pii from request context
Ensure request and response bodies are sanitized before any logging. In Chi, wrap handlers to filter sensitive fields.
(defn sanitize-logging [handler]
(fn [request]
(let [response (handler request)]
(log/info :event :request
:path (:uri request)
:client-identity (:client-identity (:request request))
:method (:request-method request))
(dissoc response :body)))) ; avoid logging body
3. Validate and limit input to prevent injection and verbose errors
Use schema validation so malformed data does not expose internal details. Combine with safe error handling that does not return Pii.
(ns myapp.validation
(:require [malli.core :as m]
[malli.error :as me]))
(def profile-schema
[:map
[:email :email]
[:user-id pos-int?]])
(defn validate-profile [data]
(if (m/validate profile-schema data)
data
(throw (Exception. "Invalid input"))))
4. Enforce per-request authorization even with mTLS
After verifying the certificate, ensure the identity matches the resource being accessed. For example, when retrieving a profile by ID, compare the ID to the identity derived from the certificate.
(defn get-profile-for-identity [request]
(let [identity (:client-identity (verify-client-cert request))
profile-id (Long/parseLong (get-in request [:params :id]))]
(if (= identity profile-id)
(fetch-profile profile-id)
(throw (Exception. "Forbidden")))))
5. Use middleware to strip Pii from responses
Before sending responses to clients, remove or mask fields that should not leave the service.
(defn strip-pii [handler]
(fn [request]
(let [response (handler request)]
(update response :body #(dissoc % :ssn :api-key)))))
Related CWEs: dataExposure
| CWE ID | Name | Severity |
|---|---|---|
| CWE-200 | Exposure of Sensitive Information | HIGH |
| CWE-209 | Error Information Disclosure | MEDIUM |
| CWE-213 | Exposure of Sensitive Information Due to Incompatible Policies | HIGH |
| CWE-215 | Insertion of Sensitive Information Into Debugging Code | MEDIUM |
| CWE-312 | Cleartext Storage of Sensitive Information | HIGH |
| CWE-359 | Exposure of Private Personal Information (PII) | HIGH |
| CWE-522 | Insufficiently Protected Credentials | CRITICAL |
| CWE-532 | Insertion of Sensitive Information into Log File | MEDIUM |
| CWE-538 | Insertion of Sensitive Information into Externally-Accessible File | HIGH |
| CWE-540 | Inclusion of Sensitive Information in Source Code | HIGH |