[__ralston3]

I find it pretty shocking that other commenters are looking at this as excusable. I mean, is that OK/excusable at your company? Logging payloads/bodies of sensitive requests in plain text - 0 obfuscation. That's ok? Wow. Other commenters are saying "it's logging so it's a forgivable mistake". Is it though? Obviously the world won't end because of these decisions, but holy hell I can't believe this wasn't caught/brought up in some type of code review. This seems pretty 101-ish

[city41]

This kind of thing can often be hard to catch in a code review, because often it's the combination of several systems that cause this to happen. Tracing the user's password from submission form all the way to logger would probably require jumping through several layers, most of which are just handed black box blobs that they hand to the next system.