API endpoints return more data than necessary for the client's needs, relying on the client-side to filter sensitive information rather than filtering at the server level.
An attacker can intercept API responses to access sensitive data fields that are sent but not displayed in the UI, such as internal IDs, email addresses, or personal information.
Implement server-side response filtering to return only required fields. Use different response schemas per endpoint and user role. Never rely on client-side filtering for security. Review all API responses for unnecessary data exposure.