Heimdall Scan logo, AI security scanner for vibe coders
Heimdall ScanOpen Beta
WarningSecrets & Credentials

Passwords and tokens written to your server logs

Credential logging is when sensitive values, like a password, an API token, or a full user record, get printed to your server logs, usually by accident, through a debug console.log left in the code.

#What goes wrong

It's common to log an entire request body or user object while debugging a login or signup flow: console.log(req.body) or console.log(user). That line does its job locally and then ships to production, where it quietly logs every password and token that passes through that route.

#Why it matters

Logs are stored in plain text and are usually accessible to your hosting provider, anyone on your team with log access, and sometimes third-party logging services you've integrated. A logged password or token is effectively stored insecurely for as long as your logs are retained, which is often longer than anyone remembers to check.

#How Heimdall checks for this

Heimdall looks for console.log, console.error, or similar logging calls where the argument is a full request body, a user object, or a variable named like password, token, or secret, particularly in authentication-related routes.

#How to fix it

Remove debug logging of full objects from any route that handles authentication or credentials. If you need to log for debugging, log specific non-sensitive fields explicitly, like the user's email or ID, never the whole object or the password/token field.

Frequently asked questions

Is this only a risk in production?

What if I use a structured logging library instead of console.log?

Should I go back and purge old logs that already have this?

Run this check on your own repo

Heimdall scans your GitHub repo for this and 29 other issues in under a minute.