Data Protection in Web Apps:A Simple Developer Guide
Every app handles data, but not all data is equal. A blog title is public. A password, a card number, or a home address is not. Data protection is about treating sensitive data with the care it needs at every step. This guide keeps it simple and practical. It maps to chapter V14 of the OWASP standard, which you can explore in the ASVS Explorer.
What Counts as Sensitive Data?
Sensitive data is any information that could harm a person or your business if it leaked. It helps to sort your data into a few levels so you know how much protection each needs. This is called data classification, and it does not have to be complicated.
| Level | Examples | How to treat it |
|---|---|---|
| Public | Blog posts, product pages, marketing content | No special protection needed. |
| Internal | Internal docs, non sensitive settings | Keep behind login and access control. |
| Sensitive | Personal data, emails, addresses, order history | Encrypt, limit access, and log who reads it. |
| Highly sensitive | Passwords, card numbers, health data, keys | Strong encryption, strict access, short retention, and extra care. |
Why Is Collecting Less Data a Security Control?
The simplest way to protect data is to not hold it in the first place. This idea is called data minimization. If you do not collect a phone number you do not need, it cannot leak. If you delete old records you no longer use, they cannot appear in a future breach. Before you add a field to a form or a column to a table, ask whether you truly need it and how long you need to keep it. Holding less sensitive data lowers both your risk and your legal duties under privacy laws such as GDPR.
How Do You Protect Data at Each Stage?
Sensitive data moves through three stages, and each needs its own protection.
- In transit. While data travels across the network, protect it with HTTPS and TLS so no one can read or change it. See our guide on HTTPS and TLS for the settings.
- At rest. While data sits in a database, disk, or backup, encrypt it so a stolen copy is useless without the keys. Hash passwords with a strong algorithm rather than encrypting them, as covered in our password security guide.
- In use and in the client. Be careful what you send to the browser and how it is stored there. Do not put sensitive data in localStorage where scripts can read it, and control caching so private pages are not saved on shared devices.
How Do You Control Caching of Private Data?
Browsers and proxies try to cache responses to make sites faster, but caching a private page can leave personal data on a shared computer or in an intermediate server. For pages and API responses that contain sensitive data, tell caches not to store them. A response header does this clearly.
Cache-Control: no-store
This tells browsers and shared caches not to keep a copy of the response. Use it on account pages, search results with personal data, and any API that returns sensitive fields.
Data Protection Checklist
- 1List your data and sort it into levels so you know what needs the most care.
- 2Collect only the sensitive data you truly need, and keep it only as long as you need it.
- 3Encrypt sensitive data in transit with HTTPS and at rest in your database and backups.
- 4Hash passwords with a strong algorithm instead of storing or encrypting them.
- 5Keep sensitive data out of browser storage that scripts can read.
- 6Set Cache-Control no-store on pages and responses with private data.
- 7Limit who and what can read sensitive data, and log access to it.
- 8Delete data you no longer need on a clear schedule.