| UI or UX | UI + UX - Security-risk warning and safe interruption before unsafe navigation, download, submission, preview, or sensitive action | UI + UX - Severe-consequence warning copy before an action | UI + UX - Urgent current-task status message | UI + UX - Authorization and access-boundary state | UI + UX - Controlled reveal and re-hiding of masked sensitive values, secrets, tokens, credentials, identifiers, or private records |
| UI guidance | Render a security warning as a high-clarity interruption that names the detected risk, identifies the destination or object, explains the concrete threat, presents the safest action as the primary path, and separates any override behind deliberate risk detail. | Render warning text as a short high-emphasis statement with a warning icon, visible or hidden warning label, and explicit consequence copy placed before the relevant action, declaration, or instruction. | Render an alert as a visible message in the current task area with a clear severity cue, short title, consequence-focused body, and one direct action or safe dismissal when appropriate. | Show the blocked object or action, current account, permission level, required role, owner, and request path when revealing that information is allowed. | Render sensitive-data reveal as a masked value with an explicit reveal action, visible hide action, clear field identity, safe default state, reveal duration or hold behavior, and status feedback that explains what is visible now. |
| UX guidance | Use security warning when a product, browser, operating system, or service has evidence that proceeding could expose credentials, install harmful software, leak sensitive data, bypass trust, or weaken account protection. | Use warning text when users must understand a serious consequence before acting or failing to act, such as a fine, loss of access, permanent deletion, eligibility impact, or legal responsibility. | Use alerts when the user must notice a time-sensitive condition that affects their current task, such as session expiry, lost connection, unsaved work risk, failed submission, or a security-sensitive hold. | Use permission denied state when the system knows the user is authenticated but their role, group, share, license, policy, or approval status blocks a specific object or action. | Use sensitive-data reveal when users need to verify, compare, copy, rotate, recover, or transcribe a sensitive value that is normally masked or redacted. |
| Good UI | A browser interstitial says Deceptive site ahead, shows the suspicious domain, explains that attackers may steal passwords, and makes Back to safety the primary action while placing Visit unsafe site behind Details. | Before Submit declaration, a warning with an exclamation icon says the user may be fined if they provide false information. | A session alert appears above the active editor, says the session expires in 2 minutes, and offers Save draft while keeping the editor usable. | A report page says Quarterly revenue report requires Finance viewer access, shows the current account, names the report owner, and offers Request access and Switch account. | An API key row shows sk_live_****9H2Q by default, requires Reauthenticate before Full reveal, logs the reveal event, and automatically hides after 30 seconds. |
| Bad UI | A red page says Security issue with Continue as the only visible action. | A red sentence says Important below the submit button after the user has already acted. | A vague red strip says Warning with no object, consequence, or next step. | A denial page says Something went wrong and shows Retry even though the user lacks a required group. | A dashboard shows API keys in plain text by default and copies them to clipboard without warning or audit. |
| Good UX | A user clicks a payroll link that visually resembles the company domain, sees the suspicious-domain warning, returns to the trusted site, and reports the link to security. | Users see the fine or eligibility consequence before checking the declaration and can pause to verify their answer. | Users can renew the session, save a draft, or inspect details without losing typed work. | A user opens a restricted report, sees which account is signed in, requests viewer access with a reason, then sees that the request is pending with the owner. | A developer needs to rotate a webhook secret, reveals it after step-up verification, copies it with a visible clipboard warning, then sees it auto-hide with an audit ID. |
| Bad UX | A user sees a vague warning, assumes it is routine maintenance, proceeds, and enters credentials into a phishing page. | A benefit-loss warning appears only after submission, so users cannot change the decision it warns about. | The only warning that unsaved work will be lost disappears after five seconds. | The app returns a blank screen for a restricted file, so the user cannot tell whether the file is gone, private, or opened with the wrong account. | A user opens billing details in a shared office and the full card number appears automatically with no warning. |
| Best fit | A threat signal indicates phishing, malware, deceptive site, unsafe download, invalid certificate, insecure connection, mixed-content submission, suspicious redirect, file preview risk, or account-security danger. | A user must understand a serious consequence before taking or skipping an action. | A current task has a time-sensitive warning, error, or important status change. | A signed-in user lacks permission to view, edit, publish, export, delete, approve, share, administer, or configure a resource. | Users need to inspect, copy, verify, rotate, transcribe, or compare a sensitive value that should normally stay masked or redacted. |
| Avoid when | The message is only a general severe consequence before a product action; use warning text. | The message is a dynamic task status that must be announced when it appears. | The message belongs beside one object, row, field, or local section. | The user is not signed in and the next step is authentication rather than authorization. | The task is only entering a password into an authentication form; use password input. |
| Required state | Safe path state with primary Back to safety, Cancel, Remove, Use trusted route, or Contact admin action. | No-warning state where the action has no severe consequence. | No-alert state with the task operating normally. | Whole-object access denied state. | Masked state with the field identity, safe suffix or count, and reveal eligibility. |
| Accessibility burden | Use a heading and text that name the risk before the destination or details, so screen reader users hear the warning context first. | Do not rely on color alone; include visible or programmatic warning wording and a non-color cue such as an icon. | Use role alert for urgent dynamic text and avoid putting interactive controls inside the role-alert node itself. | Use a heading that identifies the access boundary and a text description that does not rely on lock icons or red color alone. | Use a labelled button or toggle whose accessible name includes the field, such as Show API key or Hide account number. |
| Common misuse | Using vague warning copy that does not say phishing, malware, certificate, insecure connection, dangerous download, or suspicious redirect. | Using warning text for routine hints, explanations, or mild reminders. | Using a disappearing toast for warnings users must act on before continuing. | Treating authorization denial as a generic retryable error. | Showing sensitive values in plain text by default. |