# ST-SEC-009 - SecureString Misusage

> **Rule ID**: `ST-SEC-009`

**Rule ID**: `ST-SEC-009`

**Scope**: Workflow

## Description

This rule checks whether the **SecureString** type is misused in the workflow. This string type is used when avoiding to store potentially sensitive strings as plain text. If certain activities accept sensitive information as input but do not support the **SecureString** type, you can exclude them from this rule.

## Recommendation

The **SecureString** type should not be used for any purpose other than the intended one. Therefore, attempting to cast **SecureString** to **String** may be viewed as a security risk.

According to the official Microsoft [documentation](https://docs.microsoft.com/en-us/dotnet/api/system.security.securestring?view=netframework-4.8), if a **String** object contains any sensitive information, it raises the risk of the data being revealed after it is used.

In addition, the scope of **SecureString** type variables should be very limited, ideally in the same scope where they were created.

![docs image](https://dev-assets.cms.uipath.com/assets/images/studio/studio-docs-image-170315-706730d4.webp)

## Modifying the Rule

In the **Project Settings** window, select the **Workflow Analyzer** tab. Find and select the rule.

You can exclude activities that do not support the **SecureString** type by adding their namespaces separated by a comma in the **Excluded Activities** field.

## Reset to Default

To reset the value to default, right-click the rule in the **Project Settings** window, and then click **Reset to default**.

![docs image](https://dev-assets.cms.uipath.com/assets/images/studio/studio-docs-image-166716-253e065a.webp)