SecurityBest PracticesObservability

Preventing Credential Leaks in Logs: A Comprehensive Guide

Thomas NelsonJune 27, 20268 min read

Credential leaks in logs happen all too often. Picture a login timeout while DEBUG mode is on, capturing full HTTP requests. This can fill logs with thousands of credentials. Then, a customer notices their password sitting in your SIEM logs.

Root Causes:

  • Secrets get logged by default.
  • Headers and bodies are logged without filtering.
  • Libraries log payloads during errors.
  • Debug modes capture raw requests with sensitive data.
  • Context leaks reveal tokens or emails.
  • URLs with credentials end up logged.
  • Email addresses show up in metrics.
  • Environment dumps have sensitive info.
  • Third-party SDKs log payloads by default.
  • Unsafe logging spreads across systems.

Why Usual Fixes Fail:

  • Policies are ignored when deadlines loom.
  • Regex filtering is unreliable.
  • Denylists miss data variations.
  • Library defaults revert on updates.
  • Patchwork solutions miss log paths.
  • Code reviews miss complex issues.
  • Fewer logs don’t guarantee no leaks.

Securing Logs:

  1. Classify at Source:

    • Use a Secret type that defaults to “[redacted]”.
  2. Centralize Logging:

    • Use structured logging to automatically leave out sensitive data.
  3. Early Scrubbing:

    • Remove sensitive fields from access logs right away.
  4. Proper Configuration:

    • Turn off sensitive data logging in clients and ORMs.
  5. Ensure Testability:

    • Use canary secrets in non-production environments to detect leaks.
  6. Separate Log Types:

    • Keep audit and debug logs separate with limited retention.

Implementation Insights:

Java/Spring:

  • Use filters and custom serializers to hide secrets.

Node/Express:

  • Use allowlists and strip sensitive retry data.

Python/Django/Flask/FastAPI:

  • Filter out sensitive logging.

Go:

  • Log selectively, masking sensitive fields.

Ruby/Rails:

  • Use FilterParameterLogging for sensitive parameters.

Proxies/Gateways:

  • Keep sensitive data out of logs.

Kubernetes/Log Agents:

  • Filter sensitive fields at the node level.

Cloud Functions/Containers:

  • Only emit pre-approved environment details.

Metrics and Tracing:

  • Use fixed allowlists for tracking.

Final Steps:

  • Identify and eliminate unsafe practices.
  • Centralize logging APIs with data classification.

Challenges:

  • Requires strict classification.
  • Debug logs are needed but must be limited.

Outcomes:

  • Preventing incidents reduces operational friction.
  • Safe defaults significantly cut risks.

Response to Leaks:

  • Rotate secrets and clear affected data.
  • Inform and use additional preventive measures.

Core Message: Change how data enters logs: focus on classification, centralization, and early scrubbing. Safe logging should be a basic practice, beyond unreliable regex fixes.

[ cerbi ] · Start now

One NuGet package. No pipeline changes. Policy-as-code governance that runs in-process before sensitive data ever reaches Splunk, Datadog, or Azure Monitor.

14-day free trial/No credit card/Works with Serilog · NLog · MEL
Preventing Credential Leaks in Logs: A Comprehensive Guide | Cerbi Blog