---
title: Do Not Log Credentials Or Tokens
impact: HIGH
impactDescription: prevents sensitive credential exposure in monitoring systems
tags: logging, credentials, tokens, secrets, security, kotlin
---

## Do Not Log Credentials Or Tokens

Logging systems are often less protected than core databases. Credentials or tokens in logs can be harvested by attackers or accidentally exposed to unauthorized personnel.

**Incorrect (logging sensitive data):**

```kotlin
// Logging passwords
logger.info("Login attempt for user: {}, password: {}", user.username, user.password) // NEVER!

// Logging full request headers
logger.debug("Request headers: {}", request.headers)
// Authorization header contains Bearer tokens!

// Logging raw request body
logger.info("Incoming request body: {}", request.body())
// May contain passwords, credit card numbers, or PII
```

**Correct (sanitized logging):**

```kotlin
// Omit sensitive fields
logger.info("Login attempt for user: {}", user.username)

// Sanitize or mask headers
val safeHeaders = request.headers.toMutableMap().mapValues { (key, value) ->
    if (key.equals("Authorization", ignoreCase = true) || key.equals("Cookie", ignoreCase = true)) {
        "[REDACTED]"
    } else {
        value
    }
}
logger.debug("Request headers: {}", safeHeaders)

// Use a data sanitizer for objects
fun sanitize(data: Map<String, Any?>): Map<String, Any?> {
    val sensitiveKeys = setOf("password", "token", "secret", "credit_card", "cvv")
    return data.mapValues { (key, value) ->
        if (sensitiveKeys.any { key.contains(it, ignoreCase = true) }) "[REDACTED]" else value
    }
}
```

**Sensitive Data strictly forbidden in logs:**
- Passwords (raw or encrypted).
- Authentication tokens (JWT, OAuth tokens, API Keys).
- Session IDs and Cookies.
- Payment information (Credit Card, CVV).
- Personal IDs (SSN, National ID).

**Tools:** Logback mask pattern, SonarQube, Manual Security Audit, Sentry Data Scrubbing
