Skip to content

CWE-615: Information Exposure Through Comments

Overview

This guidance helps you interpret and remediate findings from DAST (Dynamic Application Security Testing) tools. The scanner detected sensitive information in HTML/JavaScript source code comments visible in HTTP responses. Evidence includes API keys, passwords, internal URLs, developer notes, or TODO comments containing security-relevant information in client-side code. The scanner analyzes response bodies and finds sensitive patterns in <!-- --> or // comments.

Analyzing the Dynamic Scan Result

What the DAST Scanner Found

DAST findings for CWE-615 typically indicate that comments containing sensitive or internal information were included in client-visible responses, such as:

  • HTML comments in rendered pages
  • JavaScript comments in served scripts
  • Comments embedded in API responses
  • Source maps or debug artifacts exposing commented code

Evidence is based on observed response content, not on request parameters or payloads.

Mapping DAST Findings to Source Code

CWE-615 does not map to a specific endpoint or request parameter. The issue resides in how comments and build artifacts are handled before responses are sent to clients.

When tracing this issue in code and build processes, review:

  • Templates or static assets served in production
  • Build pipelines that strip or retain comments
  • Source map generation and deployment
  • Debug or diagnostic content included in responses

Remediation

Core Principle: Never allow comments or development artifacts containing sensitive or internal information to be exposed in client-visible responses; only explicitly intended runtime content may be delivered to users.

→ For comprehensive remediation guidance, see Static CWE-615 Guidance

Verification and Follow-Up Testing

After applying the fix:

1. Verify Response Content

  • Confirm comments are not included in HTML, JavaScript, or API responses
  • Ensure source maps and debug artifacts are not served in production

2. Test Edge Cases

  • Error pages and fallback responses
  • Minified vs non-minified assets
  • Environment-specific builds

Re-run DAST Scanner

Re-run the dynamic scanner to confirm sensitive comments are no longer observed.

Additional Resources