Do not log sensitive information

J.D. Meier, Jason Taylor, Prashant Bansode, Carlos Farre, Madhu Sundararajan, Steve Gregersen.

Do not log sensitive user or application data to your log files. Permissions on log files are often different than permissions on sensitive data in your data store and operations that access it. Sensitive data in your logs could allow users to gain access to information that they would not otherwise have access to.

Sensitive data includes, but is not limited to:
  • Personally identifiable Information.** Information that either contains personally identifiable information or can be used to derive personally identifiable information that should not be shared with users. This can include credit card numbers or social security numbers.
  • User sensitive information. Information that a user provides that they would not want shared with other users of the application. This can include user credentials, preferences or application usage information.
  • Application sensitive information. Information that comes from a trusted source that is not designed to be shared with users. This can include connection strings and service account credentials.

Last edited Apr 23, 2008 at 11:15 PM by prashantbansode, version 2

Comments

ronjacobs May 19, 2008 at 1:52 AM 
You might have to do this with custom message logging or if you do log them you must secure the logs the same way you secure other PII an HBV content (perhaps log to a database?)

blairsh Apr 17, 2008 at 11:14 PM 
Do you have guidance you can share on how to prevent PII or HBV from appearing in the WCF log file when LogMessagesAtServiceLevel is enabled?