Credential leaks in logs happen all too often. Picture a login timeout while DEBUG mode is on, capturing full HTTP requests. This can fill logs with thousands of credentials. Then, a customer notices their password sitting in your SIEM logs.
Root Causes:
- Secrets get logged by default.
- Headers and bodies are logged without filtering.
- Libraries log payloads during errors.
- Debug modes capture raw requests with sensitive data.
- Context leaks reveal tokens or emails.
- URLs with credentials end up logged.
- Email addresses show up in metrics.
- Environment dumps have sensitive info.
- Third-party SDKs log payloads by default.
- Unsafe logging spreads across systems.
Why Usual Fixes Fail:
- Policies are ignored when deadlines loom.
- Regex filtering is unreliable.
- Denylists miss data variations.
- Library defaults revert on updates.
- Patchwork solutions miss log paths.
- Code reviews miss complex issues.
- Fewer logs don’t guarantee no leaks.
Securing Logs:
-
Classify at Source:
- Use a Secret type that defaults to “[redacted]”.
-
Centralize Logging:
- Use structured logging to automatically leave out sensitive data.
-
Early Scrubbing:
- Remove sensitive fields from access logs right away.
-
Proper Configuration:
- Turn off sensitive data logging in clients and ORMs.
-
Ensure Testability:
- Use canary secrets in non-production environments to detect leaks.
-
Separate Log Types:
- Keep audit and debug logs separate with limited retention.
Implementation Insights:
Java/Spring:
- Use filters and custom serializers to hide secrets.
Node/Express:
- Use allowlists and strip sensitive retry data.
Python/Django/Flask/FastAPI:
- Filter out sensitive logging.
Go:
- Log selectively, masking sensitive fields.
Ruby/Rails:
- Use FilterParameterLogging for sensitive parameters.
Proxies/Gateways:
- Keep sensitive data out of logs.
Kubernetes/Log Agents:
- Filter sensitive fields at the node level.
Cloud Functions/Containers:
- Only emit pre-approved environment details.
Metrics and Tracing:
- Use fixed allowlists for tracking.
Final Steps:
- Identify and eliminate unsafe practices.
- Centralize logging APIs with data classification.
Challenges:
- Requires strict classification.
- Debug logs are needed but must be limited.
Outcomes:
- Preventing incidents reduces operational friction.
- Safe defaults significantly cut risks.
Response to Leaks:
- Rotate secrets and clear affected data.
- Inform and use additional preventive measures.
Core Message: Change how data enters logs: focus on classification, centralization, and early scrubbing. Safe logging should be a basic practice, beyond unreliable regex fixes.
