Passwords and tokens written to your server logs
Credential logging is when sensitive values, like a password, an API token, or a full user record, get printed to your server logs, usually by accident, through a debug console.log left in the code.
#What goes wrong
It's common to log an entire request body or user object while debugging a login or signup flow: console.log(req.body) or console.log(user). That line does its job locally and then ships to production, where it quietly logs every password and token that passes through that route.
#Why it matters
Logs are stored in plain text and are usually accessible to your hosting provider, anyone on your team with log access, and sometimes third-party logging services you've integrated. A logged password or token is effectively stored insecurely for as long as your logs are retained, which is often longer than anyone remembers to check.
#How Heimdall checks for this
Heimdall looks for console.log, console.error, or similar logging calls where the argument is a full request body, a user object, or a variable named like password, token, or secret, particularly in authentication-related routes.
#How to fix it
Remove debug logging of full objects from any route that handles authentication or credentials. If you need to log for debugging, log specific non-sensitive fields explicitly, like the user's email or ID, never the whole object or the password/token field.
Frequently asked questions
Is this only a risk in production?
What if I use a structured logging library instead of console.log?
Should I go back and purge old logs that already have this?
Run this check on your own repo
Heimdall scans your GitHub repo for this and 29 other issues in under a minute.
