PII Data Masking in Java Applications
Learn PII data masking in Java applications, including masking emails, phone numbers, account numbers, tokens, logs, DTOs, and safe response design.
What You Will Learn
- What PII is.
- Why masking is needed.
- How to mask common fields.
- Where to apply masking in Java applications.
- Common mistakes.
Introduction
PII means Personally Identifiable Information.
Examples:
- Name.
- Email.
- Phone.
- Address.
- SSN.
- Account number.
- Policy number.
Masking reduces accidental exposure in UI, logs, support screens, and API responses.
Masking Examples
| Field | Masked Output |
|---|---|
| [email protected] | v***@example.com |
| 9876543210 | ******3210 |
| 123456789 | *****6789 |
| Bearer token | [REDACTED] |
Java Masking Helper
public final class MaskingUtils {
public static String last4(String value) {
if (value == null || value.length() <= 4) {
return "****";
}
return "*".repeat(value.length() - 4) + value.substring(value.length() - 4);
}
}
Where to Mask
- API response DTOs.
- Logs.
- Audit exports.
- Admin screens.
- Error messages.
- Support tooling.
Masking Flow
flowchart LR
A["Sensitive entity"] --> B["Authorization check"]
B --> C["DTO mapper"]
C --> D["Mask sensitive fields"]
D --> E["API response"]
Important Rule
Masking does not replace encryption.
Use masking for display. Use encryption, tokenization, or hashing for storage protection.
Summary
PII masking reduces accidental disclosure. Apply it consistently in DTOs, logs, support tools, and error handling.
Learning Path Navigation
- Series home: Spring Security Learning Path
- Previous: Hashing vs Encryption vs Tokenization
- Next: Secure Logging and Preventing Sensitive Data Leaks
Comments
Share a question, correction, or practical insight about this article.
Checking login status...
Loading approved comments...