|
|
|
|
|
|
by blr246
2651 days ago
|
|
|
Agree this is pretty much inexcusable. Logging request or response payloads without an explicit whitelist should raise flags for any developer. There are very few cases where you can assert that not only in the present but also for all future use cases of a system, the entirety of a payload will not contain sensitive user data. Only a whitelist will suffice to maintain good security. It's common for developers to attach sensitive data for debugging and other use cases under arbitrary paths. Systems can improve further by adding patterns and other heuristics to drop values from the whitelist that look like sensitive data. |
|
|