Update 0xa3-excessive-data-exposure.md

inonshk · web-flow · commit 735f37591ad7 · 2019-12-16T11:04:14.000-08:00
diff --git a/2019/en/src/0xa3-excessive-data-exposure.md b/2019/en/src/0xa3-excessive-data-exposure.md
@@ -44,13 +44,14 @@ the site.
   data.
 * Backend engineers should always ask themselves "who is the 
   consumer of the data?" before exposing a new API endpoint.
-* Use generic methods like "to_json" and "to_string" from the ORM / Model level 
-  very carefully.
-* Classify sensitive and personally identifiable information (PII) that your
-  application stores and works.
+* Avoid using generic methods such as to_json() and to_string(). 
+  Instead, cherry-pick specific properties you really want to return
+* Classify sensitive and personally identifiable information (PII) that 
+  your application stores and works with, reviewing all API calls returning such
+  information to see if these responses pose a security issue.
 * Implement a schema-based response validation mechanism as an extra layer of 
   security. As part of this mechanism define and enforce data returned by all API 
-  methods.
+  methods, including errors.
   
 
 ## References
