L01 Logging Exposure
What this means
SiteShadow flagged log statements that may include secrets, credentials, tokens, or sensitive user data.
Why it matters
Logs are widely accessible; leaked secrets can enable account compromise.
- Logs spread: dev machines, CI output, third-party log vendors, support tickets.
- Long retention: even after you "fix the code," old logs still contain the data.
- Compliance risk: PII in logs causes audit and breach-notification headaches.
Safer examples
1) Redact secrets before logging
function redact(s) {
if (!s) return "";
return s.slice(0, 4) + "…";
}
logger.info("Login attempt user=%s tokenPrefix=%s", userId, redact(token));
2) Don't log full request bodies by default
Especially for auth endpoints, webhooks, and payment flows.
3) Restrict access and retention
Limit who can read logs; set retention based on need; protect log sinks as sensitive systems.
How SiteShadow detects it (high level)
- Looks for logging APIs and flags when likely-sensitive variables are logged (tokens, passwords, headers like
Authorization, cookies). - Uses heuristic matching to reduce noise (e.g., ignores obviously fake placeholders where possible).
References
- CWE-532: https://cwe.mitre.org/data/definitions/532.html
---
← Back to Vulnerability Library
Catch this in your code with the free tier.
SiteShadow's free tier covers this exact pattern across the 23 OWASP Top 10 single-file checks. Sign in with your work SSO, first-time sign-in auto-issues your free license.