保護DataHogo
Security Encyclopedia/Privacy Best Practices
lowCWE-16

No Terms of Service

Without terms of service, you have no legal basis to restrict abuse, terminate accounts, or limit your liability for user-generated content.

How It Works

Terms of service define the contract between you and your users. Without them, you can't legally ban abusive users, disclaim liability for uptime issues, restrict how your service can be used, or enforce intellectual property rights. They also define your acceptable use policy — critical for preventing API abuse.

Vulnerable Code
// BAD: service with no terms of service
// No /terms route
// No ToS checkbox in signup
// No acceptable use policy
// Result: no legal basis to terminate abusive accounts
Secure Code
// GOOD: terms of service linked and agreed to at signup
// Signup form:
<label>
  <input type="checkbox" required name="acceptedTerms" />
  I agree to the <a href="/terms">Terms of Service</a> and
  <a href="/privacy">Privacy Policy</a>
</label>
// Store acceptedTermsAt timestamp in user record

Real-World Example

Companies without clear terms of service have been unable to remove spam accounts, scraping bots, or users violating platform policies — because without a ToS, users didn't agree to any rules and legal action is significantly harder.

How to Prevent It

  • Create a terms of service covering acceptable use, liability limits, and account termination
  • Require explicit ToS acceptance at signup (checkbox, not just a link in the footer)
  • Record the timestamp when each user accepted the ToS for legal documentation
  • Update the ToS when you add features with new legal implications and notify users

Affected Technologies

javascript

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

No Privacy Policy

low

Operating without a privacy policy violates GDPR, CCPA, and similar regulations — and makes users rightfully distrust your handling of their data.

CWE-16

No Account Deletion

medium

Not offering account deletion violates GDPR's right to erasure and CCPA's right to delete — and is a significant privacy red flag for users.

CWE-16

No Cookie Banner

low

Setting non-essential cookies without user consent violates GDPR and ePrivacy Directive requirements for EU users.

CWE-16

Payment Data Stored Locally

critical

Storing full card numbers, CVVs, or PANs in localStorage, sessionStorage, or your own database violates PCI DSS and creates massive liability.

CWE-312A02:2021