Reports should not be made public

Rule ID

Impact

When a report is published, the generated URL is public by default, it means the report data could be exposed to anyone including people who are not users. Reports are available until they are unpublished.

Remediation

Share reports using Groups, Users and Roles. To make a report available only to logged in users, set its Sharing setting to Everyone, but do not publish it.

Time to fix

15 min

References

This rule is linked to Common Weakness Enumeration CWE-284 Improper Access Control.