Introducing Secure Log (2023): A Secure Console.Log Alternative In Typescript
We’re excited to introduce one of our first open-source contributions: secure log.
console.log experience that detects and prevents leaking API tokens and other app secrets into your logs.
We all love debugging our code with console.log: it’s easy, fast, and you can just move on with your day without much friction. But what if you forget to remove your console statements from your code in the heat of the moment? In the worst case scenario, you can leak sensitive information attackers can use to target your customers.
It doesn’t disrupt your dev team’s favorite workflow, but protects them from tiny mistakes that can cost a fortune.
What’s console log
console.log() is a built-in function provided by web browsers and Node.js environments that allows you to output messages or data to the browser’s console or the terminal. It is commonly used for debugging and understanding what’s happening in your code at different points during execution.
The syntax for
console.log() is straightforward:
console.log(value1, value2, ..., valueN);
It’s a useful tool for developers when they want to inspect variables, check if certain code blocks are being executed, or simply log messages for debugging purposes. But it’s not recommended to leave
console.log() statements in your production code since they can affect performance and may expose sensitive information.
Why you need secure logging
Secure logging prevents secret leaks and sensitive data exposure. Without proper monitoring mechanisms, valuable information like passwords or API keys might accidentally find its way into log files, posing a severe security threat.
To prevent data breaches, it’s important to install vulnerability and compatibility scanners. These tools help identify potential weaknesses and vulnerabilities in the application, enabling you to proactively address them before they are exploited by malicious actors. Secure log acts as a vulnerability scanner for your console.log statements without introducing a new tool in your tech stack.
App and server misconfigurations can also lead to unintended exposure of sensitive data if you print app details in the console. Therefore, preventing your logs from exposing sensitive information is crucial to maintaining a secure application. If you leave console statements in your code, injection attacks like SQL injection or code injection could be used to display your app state as well, which can then be used to escalate the attack.
In production environments, leaving
console.log() statements with sensitive data could end up in production logs, posing a significant security risk if the logs are accessed by unauthorized individuals.
Lastly, logging statements can have a negative impact on the performance of your application when they often arise. While it may seem like a harmless statement, it can add unnecessary overhead, especially if you have logging statements in a frequently accessed loop. This can slow down your application and potentially cause denial of service errors.
How to use secure log
SecureLog works in both Node.js and the browser. It only takes two lines of code to override the default console:
import SecureLog from '@onboardbase/secure-log';
You can then use your
console methods as usual:
The logs will include the
You can also add a configuration object to disable logging in certain environments. For example, to disable logging in production:
disableOn: 'production', // disables the securelog wrapper
disableConsoleOn: 'production', // disables logging
The environment names must match the ones in your
process.env.NODE_ENV environment variable.
The SecureLog library parses the
arguments passed to the
console.log function to check if any of the
...args inside your
console.log function is a secret defined in your environment configuration. The parser throws a warning if any potential secret is found. For example:
This statement will throw a warning if an actual
AWS_ACCESS_KEY_ID is found in the
process.env to notify the user that they are logging a potential secret. You can then use this warning in your CI/CD pipeline to prevent the code from being deployed.
Supported console methods
The SecureLog library supports the following console methods.
Logs messages to the console.
Clears the console of any previous log messages and outputs.
Logs a warning message to the console.
Stops the current profiling session and displays the collected profile data.
Logs debug messages to the console, often used for debugging purposes.
Logs informational messages to the console.
Logs error messages to the console.
Displays tabular data as a table in the console.
console.table(['a', 'b', 'c']);
Secure log is a Typescript wrapper around the
console object that checks you don’t leak env secrets in your codebase by matching .env variables with
- It extends the native console object in a SecureLog class. Even though you can find online discussions entertaining the idea of overriding console methods, it is bad practice because it can break other parts of your application that need it.
- Unsupported methods will fail gracefully with a console error message.
- The library is type-safe and tested.
The program fits in a single file, so feel free to have a look and contribute!
- Install SecureLog via CDN
- AI to scan values passed to
console.logand report potential sensitive logs
Our ambition at Onboardbase is to become the go-to platform for developers to build and ship secure applications. We’re starting with a simple library that can help you prevent sensitive data leaks in your logs, but we have a lot more in store for you. Stay tuned!
Subscribe to our newsletter
The latest news, articles, features and resources of Onboardbase, sent to your inbox weekly