Back to course

Logging Without Leaking Information

TL;DR: Log what happened and where, not the data itself. Never log passwords, tokens, or personally identifiable information. Treat your logs like they will eventually be read by someone who should not have full access.

log too muchpassword: “abc123”token: “eyJhbGci…“card: “4111-1111-…“log what mattersPOST /login 401userId: 4821 failedip: 192.168.x.x

Logs are one of the first places an attacker looks if they get access to your infrastructure. They’re also one of the most common places sensitive data ends up unexpectedly.

It happens when developers log entire request bodies for debugging. A user signs up, and their password lands in plain text in your log file. A payment comes through, and a card number is sitting in your application logs. These aren’t theoretical. They happen regularly in codebases that weren’t thinking carefully about what gets logged.

The rule is to log events, not data. Log that a login attempt failed, not the password that was tried. Log that a payment was processed, not the card number used. Log the user ID, not the user’s personal details.

function logError(err, req) {
  console.error(`Error in ${req.method} ${req.url}: ${err.message}`);
  // Do not log err.stack or sensitive data here
}

A few other things worth doing: restrict who has access to your logs. Rotate and expire old log files rather than keeping them indefinitely. If you’re using a centralized log platform like Datadog or ELK, make sure access control is configured properly there too.

Further reading: OWASP Logging Cheat Sheet