Logs leak secrets constantly, and almost never on purpose. A request-logging middleware that dumps every header. A crash report that prints the full config object. A debug line that echoes environment variables and never gets removed. None of these are written with the intent to expose a credential — but the moment that log is pasted into a GitHub issue, a Slack channel, or an AI chat, whatever secret it contains should be treated as compromised.
About to share a log?
Open Log Redactor →How secrets actually end up in logs
Rarely does anyone deliberately write console.log(apiKey) and ship it. The real sources are more indirect:
- Request/response dumps — middleware or a
curl -vthat logs full headers, includingAuthorization: Bearer ... - Config or environment dumps — a crash handler that prints the entire process environment or config object for "debugging context"
- Connection strings — a database URL like
postgres://user:password@host/dblogged as-is when a connection fails - Startup scripts — a one-off
echo $API_KEYadded while debugging deployment, left in place afterward
Each of these is a small, individually reasonable decision. The aggregate effect, over the lifetime of a codebase, is that logs quietly accumulate more sensitive material than anyone intended.
Why this matters the moment a log leaves your machine
A secret sitting in a local log file on your own laptop is low-risk. The risk appears the instant that log is pasted somewhere else: a GitHub issue (public or private, indexed and cached regardless), a Slack message (retained per your workspace's policy), or an AI chat (sent to a third-party provider). Most security teams treat any credential that touched a third-party service as compromised and require rotation — regardless of whether anyone actually misused it. Redacting first costs a few seconds. Rotating a leaked production key afterward costs a lot more.
What a pattern-based redactor actually catches
The Log Redactor works by recognizing the shape of a secret, not by knowing your secret in advance. That splits into two styles of detection:
- Format-based — values with a distinctive, recognizable prefix or structure: AWS keys (
AKIA...), GitHub/Slack/Stripe/npm tokens,sk-style API keys, JWTs (three base64 segments joined by dots, startingeyJ), and PEM private-key blocks. - Context-based — values that only look like secrets because of what's next to them:
password=,api_key:,user:pass@inside a connection string, or aBearer/Basicauth header. Here the key name is kept (it's useful context) and only the value is replaced.
Card-like numbers get an extra check: a 13–19 digit sequence only gets redacted if it passes the Luhn checksum real card numbers satisfy, so order IDs and timestamps aren't falsely flagged. Everything else is grouped into six toggleable categories — vendor keys, tokens/auth headers, passwords, emails, network addresses, card numbers — so you can leave a category alone if, say, internal IPs are fine to share in your context.
What it can't catch — and why that's an inherent limit, not a bug
Detection depends on a secret having some recognizable shape. A vendor-prefixed key or a JWT structure stands out; a bare internally-generated token with no prefix and no descriptive key name next to it does not — it's indistinguishable from a request ID, a hash, or a session identifier. This is true of any pattern-based redactor, not a specific shortcoming of one implementation. Treat the output as a strong first pass: it catches the categories that account for the overwhelming majority of accidental leaks, but you should still skim the result before sharing, particularly for custom internal token formats your own systems invented.
A safe workflow before you share a log
- Redact first, every time — make it a habit rather than a judgment call made under pressure while debugging.
- Skim the redacted output for anything that looks secret-shaped but wasn't caught — internal token formats are the most common gap.
- Keep the original unredacted log somewhere private if you'll need the actual values again later — redaction here is one-way by design.
- If the log contains an error you're actually trying to debug, run the original through the Error Log Analyzer first to get routed to the fix, then redact before you share it with anyone else.
Frequently Asked Questions
Why do secrets end up in logs in the first place?
Most leaks aren't intentional logging of secrets — they're side effects. A request-logging middleware dumps all headers, including Authorization. A crash handler prints the full config object, including a database URL with embedded credentials. A startup script echoes environment variables for debugging and never removes the line. Each of these is reasonable in isolation, but the combined effect is that credentials end up in plain text in a log file.
What kinds of secrets can be detected automatically in a log?
Anything with a recognizable shape: vendor-prefixed API keys (AWS access keys starting AKIA, GitHub tokens starting ghp_, Stripe keys starting sk_live_), JWTs (three base64 segments separated by dots, starting with eyJ), Bearer and Basic authorization headers, password= or api_key: style key-value pairs, user:password@ credentials inside connection strings, and PEM-formatted private key blocks. Anything with a distinctive prefix or structural pattern is detectable; a bare random string with no surrounding context is not.
Can a log redactor miss a secret?
Yes. Pattern-based detection can only catch what looks like a secret. An internally generated token with no recognizable prefix and no descriptive key name next to it (e.g. a bare 32-character hex string used as a session ID) can be indistinguishable from a request ID or hash. Treat automated redaction as a strong first pass, not a guarantee — skim the output before sharing, especially for custom internal token formats.
Why not just use find-and-replace in a text editor?
Find-and-replace requires you to already know the exact secret value and its exact position, which defeats the purpose when you're scanning an unfamiliar log for anything sensitive. A pattern-based redactor instead recognizes the shape of a secret (an AWS key format, a JWT structure, a password= pattern) without you needing to spot it manually first, which is both faster and less error-prone for logs longer than a few lines.
Is it safe to paste a log into an AI chat assistant?
Only after removing anything sensitive from it first. Logs pasted into an AI assistant are typically sent to that provider's servers and may be retained depending on its data policy. Treat it the same as pasting into any third-party service: redact API keys, tokens, passwords, and PII before sending, using a browser-only redactor so the unredacted log never has to leave your machine in the process.
Paste your log and get a safe-to-share version back instantly.
Open Log Redactor →