Introduction
In this blog, we are discussing application security while logging and auditing. While writing a code we used to think about code optimization application performance but we are not worrying about secured code. Let's understand what is the best approaches while logging and auditing.
Best Practices
- Can we Log sensitive information? - Absolutely no, logging personal information like username passwords are anything is not a best practice. In case if you wanted to log please encrypt the data.
- Can we log Application errors? - Yes we can log the exception messages. It always helps to resolve the reported issue. We need to avoid writing log line by line.
- User Input Sanitization - before logging the user inputs we need to sanitize. For example, while if users sends a user name as <script>alert("hello")</script> we need to sanitize.
The following should not usually be recorded directly in the logs,
- Application source code.
- Access tokens
- Authentication information.
- Database connection string.
- Bank account and payment details.
- Information that is illegal to store.
- File Path
- Server Information like Server name, IP, etc
Summary
In this blog, we learned about security practices while logging.
I hope that you find it helpful. Eat->Code->Sleep->Repeat.