Rules Hub

Coding Rules Library

← Back to all rules

Rule priority, scope & exceptions

Use this to align rules with the senior-level structure (P0/P1/P2, scope, exceptions/tradeoffs).

PriorityP1 — maintainability, architecture, long-term qualityScopeStack-specific — framework/tool/runtime specific

Exceptions / tradeoffs (EN)Iznimke / tradeoffi (HR)

backend ruleP1stack specificStack: node

loggingredactionpinodefense-in-depthowasp-a09

Configure central log redaction for sensitive keys

Configure the logger with a global redaction list (authorization, cookie, set-cookie, password, token, secret, *.ssn, etc.) so sensitive fields are stripped even when a developer logs an object carelessly.

PR: owasp-security-canonCreated: Jun 17, 2026

Bad example

Old codets

1	`// utils/static/logger.ts`
2	`import pino from 'pino';`
3
4	`const logger = pino(); // no redaction — any logged object leaks every field`
5
6	`export default logger;`

Explanation (EN)

A bare `pino()` instance trusts every call site to never pass a sensitive value. That assumption fails the first time anyone logs a request, a config, or an axios error. With no central net, one careless `logger.info({ user })` where `user` later gains a `passwordHash` or `apiKey` field silently ships secrets to your log store.

Objašnjenje (HR)

Goli `pino()` instance vjeruje svakom pozivnom mjestu da nikada neće proslijediti osjetljivu vrijednost. Ta pretpostavka pada prvi put kada netko logira zahtjev, konfiguraciju ili axios pogrešku. Bez središnje mreže, jedan nemaran `logger.info({ user })` gdje `user` kasnije dobije polje `passwordHash` ili `apiKey` tiho šalje tajne u vaš log store.

Good example

New codets

1	`// utils/static/logger.ts`
2	`import pino from 'pino';`
3
4	`const logger = pino({`
5	`redact: {`
6	`paths: [`
7	`'req.headers.authorization',`
8	`'req.headers.cookie',`
9	`'res.headers["set-cookie"]',`
10	`'*.password',`
11	`'*.token',`
12	`'*.accessToken',`
13	`'*.sessionCookie',`
14	`'*.ssn',`
15	`'sessionCookie',`
16	`],`
17	`censor: '[REDACTED]',`
18	`},`
19	`});`
20
21	`export default logger;`

Explanation (EN)

Redaction is enforced once, centrally, and applies to every log line regardless of who wrote the call site. Even if someone logs a full object, the listed paths are replaced with `[REDACTED]`. This is defense-in-depth: it complements (not replaces) the discipline of logging minimal fields, catching the human mistakes that discipline misses.

Objašnjenje (HR)

Redakcija se provodi jednom, središnje, i primjenjuje se na svaku log liniju bez obzira tko je napisao pozivno mjesto. Čak i ako netko logira cijeli objekt, navedeni putevi zamjenjuju se s `[REDACTED]`. Ovo je dubinska obrana: nadopunjuje (ne zamjenjuje) disciplinu logiranja minimalnih polja, hvatajući ljudske pogreške koje disciplina propusti.

Exceptions / Tradeoffs (EN)

Redaction paths must be kept in sync as data models grow — review them when adding new auth or PII fields. A wildcard like `*.token` only matches the key name, so normalize sensitive field names across the codebase.

Iznimke / Tradeoffi (HR)

Putevi redakcije moraju se održavati u skladu s rastom modela podataka — pregledajte ih pri dodavanju novih auth ili PII polja. Wildcard poput `*.token` poklapa samo ime ključa, pa normalizirajte imena osjetljivih polja kroz cijelu bazu koda.

Login required