// Prevents logging of sensitive data like passwords, tokens, and API keys
# Never Log Secrets, Tokens, or Sensitive Data
Logging sensitive information is a critical security vulnerability.
## What NEVER to Log
### Credentials
- Passwords (plain text or hashed)
- API keys and tokens
- OAuth tokens and secrets
- Private keys
- Database credentials
- Session IDs
### Personal Information (PII)
- Social Security Numbers
- Credit card numbers
- Bank account details
- Health information
- Passwords or PINs
### Internal Secrets
- Encryption keys
- Salt values
- Internal API endpoints
- Security tokens
- Auth cookies
## Dangerous Patterns to Avoid
### ❌ Direct Logging
```javascript
// NEVER DO THIS
console.log('User login:', { email, password });
logger.debug('API request:', { headers, apiKey });
console.error('Auth failed:', error); // error might contain token
```
### ❌ Object Dumps
```javascript
// DANGEROUS - might contain secrets
console.log('Request:', req);
console.log('User object:', user);
logger.debug('Config:', config);
```
## Safe Logging Practices
### ✅ Sanitize Before Logging
```javascript
function sanitize(obj) {
const safe = { ...obj };
delete safe.password;
delete safe.apiKey;
delete safe.token;
delete safe.secret;
return safe;
}
logger.info('User login:', sanitize(loginData));
```
### ✅ Redact Sensitive Fields
```javascript
const safeHeaders = {
...headers,
Authorization: '[REDACTED]',
'X-API-Key': '[REDACTED]',
};
logger.debug('Request headers:', safeHeaders);
```
### ✅ Log Non-Sensitive Identifiers Only
```javascript
// Good - log IDs, not secrets
logger.info('User authenticated', { userId: user.id });
logger.debug('Payment processed', { orderId, userId });
```
## Environment Variables
### ❌ Never Log Env Vars Directly
```javascript
// DANGEROUS
console.log('Environment:', process.env);
```
### ✅ Whitelist Safe Variables
```javascript
const safeEnv = {
NODE_ENV: process.env.NODE_ENV,
PORT: process.env.PORT,
LOG_LEVEL: process.env.LOG_LEVEL,
};
logger.info('Config:', safeEnv);
```
## Error Logging
### ❌ Don't Log Full Error Objects
```javascript
// Error might contain sensitive data
catch (error) {
console.error(error); // might have auth context
}
```
### ✅ Log Safe Error Details
```javascript
catch (error) {
logger.error('Operation failed', {
message: error.message,
code: error.code,
// Don't include: stack (might have secrets), data, context
});
}
```
## Default Deny Approach
When in doubt, DON'T log it. It's better to log too little than to leak secrets.
## Review Checklist
Before any logging:
- [ ] No passwords or credentials
- [ ] No API keys or tokens
- [ ] No PII
- [ ] No full request/response objects
- [ ] No environment variables
- [ ] No internal endpoints or secrets
One leaked secret in logs can compromise an entire system.6 matches