Your laravel API is probably exposing sensitive data

2026-2-21,

When building an API using laravel some developers could be doing this: return response()->json(User::find($id)); which is a HUGE security risk. usually you would think that this is harmless and cannot be doing anything wrong because you will only show important data which is means nothing else will be exposed right? Actually no.

When You are passing this statement you will be passing not just the data you want to show moreover you will be sending everything related to that model through the network response meaning if anyone who knows that they can view the data from the network page will see all the details there. Which is very dangerous especially when you want to hide personal data.

Let's say you're building a social media app and you want to list accounts there. If you were to list them in this way return response()->json(Account::all()); this will cause a big problem which is you're passing all details related to those accounts through the request including password hashes, names, addresses, emails and more. One solution would be to use the $hidden property however this comes with a trade-off which is that you can never access those properties of the model after using $hidden in different contexts which means it's not the best solution.

Another solution is to use mapping before passing it in your respnonse in this way $users = User::all()->map(function ($user) { return [ 'name' => $user->name, 'user_name' => $user->user_name, ]; }); which much more safer. Moreover there are more alternatives to this method such as using Resources and pluck method.

In summary, when building a system you must make sure that you don't risk leaking data through passing data improperly in this way and instead only pass the data that is safe to show to the public.