---
title: Do Not Log Credentials Or Tokens
impact: MEDIUM
impactDescription: prevents credential exposure in logs
tags: logging, credentials, tokens, secrets, security
---

## Do Not Log Credentials Or Tokens

Logs are often stored unencrypted and accessed by many people. Credentials in logs can be harvested by attackers or accidentally exposed.

**Incorrect (logging sensitive data):**

```go
// Logging passwords
slog.Info("Login attempt",
    "username", user.Username,
    "password", user.Password, // NEVER!
)

// Logging tokens
slog.Debug("Request headers", "headers", r.Header)
// Authorization header contains token!

// Logging full request body
body, _ := io.ReadAll(r.Body)
slog.Info("Incoming request", "body", string(body))
// May contain password, credit card, etc.
```

**Correct (sanitized logging):**

```go
// Mask or omit sensitive fields
slog.Info("Login attempt",
    "username", user.Username,
    // password omitted
)

// Sanitize headers
safeHeader := r.Header.Clone()
if safeHeader.Get("Authorization") != "" {
    safeHeader.Set("Authorization", "[REDACTED]")
}
slog.Debug("Request headers", "headers", safeHeader)

// Use a sanitizer for request body
func sanitizeForLog(data map[string]any) map[string]any {
    sensitiveFields := []string{"password", "token", "secret", "credit_card"}
    for _, field := range sensitiveFields {
        if _, ok := data[field]; ok {
            data[field] = "[REDACTED]"
        }
    }
    return data
}
```

**Never log:**
- Passwords (plaintext or hashed)
- API keys and tokens
- Credit card numbers
- Social Security Numbers
- Session identifiers

**Tools:** SonarQube, Semgrep, Log Audit
