Enable ClassSerializerInterceptor globally so it calls instanceToPlain() on every response. Decorate entity fields with @Exclude() to omit sensitive data and @Expose() for whitelist mode. Controllers must return class instances — returning plain objects bypasses the serialization decorators entirely.
Controllers must return class instances — plain objects have no metadata for the interceptor to read.
@Exclude() — blacklist approach: all properties included by default, decorated ones are stripped.
@Expose() with excludeExtraneousValues: true — whitelist approach: only decorated properties are included.
@SerializeOptions() at route or controller level overrides the global interceptor configuration.
ClassSerializerInterceptor must be registered via APP_INTERCEPTOR for DI support (e.g. injecting Reflector).