1

There are sound reasons not to put any secrets, PII or other sensitive information into the logs on the server side (see OWASP ASVS V7).

But should the same rule apply on the client side? Is there a sound reason we should prohibit devs from logging e.g. jwt tokens into the console in the browser?

Improve this question

1 Answer 1

Reset to default
5

I see no real problem with doing this in development environments. However, I am not sure I would do it in production for a number of reasons:

  • Why log stuff to the console in production at all? It just looks messy, imho.
  • If you take a screenshot with the console open and publish you might accidentally expose sensitive information.
  • It opens up to social engineering attacks (similar to self-XSS) where users are tricked to expose information from the console. Most browsers have big warnings to users in the console nowadays, but I am not sure how effective they would be agasint this.
Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .