In our application, Organization/Employee Information has PII (Personally identifiable information) like Bank Account Info, Social Security number etc. This data is transmitted from the REST API response to the browser.
We have already following controls implemented
- Data is transmitted over https
- Authentication
- Only Authorized users will be able to see full information
- Data in the database is stored in an encrypted and masked format
- APIs also have security controls. Only valid users will be able to execute REST APIs.
we wanted to add another layer of security i.e. data transmitted over https should be encoded.
In the Chrome browser, if the user presses F12 and opens dev tools, the user would be able to see REST API response JSON and data in a readable format. So we wanted to ensure that PII data transmitted should not be in readable format instead it should be encoded format.
If we encode REST API JSON in Base64 and decode in JavaScript using Base64, then still hackers can hack data and decode using Base64.
Are there any other suggestions/recommendations about encoding/Hashing PII data so that data is NOT in the readable format while transmission? Any sample implementation would be helpful.
