Logging Secrets
In this lesson, we'll study a few scenarios where logging can go awry and how to prevent them.
Logging sensitive data
If you develop systems that have to deal with secrets such as passwords, credit card numbers, security tokens or personally identifiable information (PII), you need to be very careful about how you deal with this data within your application, as a simple mistake can lead to a data leak in your infrastructure.
Take a look at this example, where our app fetches user details based on a header.
app.get('/users/me', function(req, res){
try {
user = db.getUserByToken(req.headers.token)
res.send(user)
} catch(err) {
log("Error in request: ", req)
}
})
Now, this innocuous piece of code is actually dangerous, if an error occurs, the entire request gets logged.
Having the whole request logged is going to be extremely helpful when debugging but will also lead to storing auth tokens (available in the request’s ...