Safety Tutorial
How to remove secrets from logs before sharing them with AI or teammates
Many debugging logs contain more than stack traces. They can include API keys, bearer tokens, cookies, database connection strings, internal hostnames, signed URLs, request payloads, and customer identifiers. Once a log is copied into a ticket, a chat tool, or an AI assistant, that context can travel further than the developer originally intended.
A good redaction workflow starts before sharing, not after. The aim is to keep the technical signal while removing the data that should not leave the original environment.
High-risk categories
- Access tokens, cookies, API keys, auth headers
- Customer emails, IDs, names, addresses, request payloads
- Private bucket names, internal URLs, repository paths
- Database connection strings and signed temporary URLs
Safer replacement style
Replace values with short placeholders such as `[REDACTED_TOKEN]`, `[CUSTOMER_ID]`, or `[INTERNAL_HOST]`. That keeps the shape of the log intact while removing the sensitive content.
Recommended review order
- Reduce the log to the smallest useful section first.
- Scan for obvious secrets and customer data.
- Replace values with explicit placeholders instead of deleting whole lines when possible.
- Add one sentence that explains anything important you removed conceptually.
Authorization: Bearer eyJ...Authorization: Bearer [REDACTED_TOKEN]postgres://admin:password@db.internal/apppostgres://[USER]:[PASSWORD]@[INTERNAL_HOST]/[DB]https://bucket.example/file?X-Amz-Signature=...https://[BUCKET]/[FILE]?[SIGNED_QUERY_REMOVED]userId=84291 email=user@example.comuserId=[CUSTOMER_ID] email=[CUSTOMER_EMAIL]Why placeholders are better than deletion
A placeholder preserves the role and structure of a value. A reviewer can still see that authentication, a customer identifier, or an internal host was involved without receiving the underlying secret.
Do not share when
The diagnostic value depends on production payloads, regulated data, proprietary algorithms, private certificates, or credentials that cannot be represented safely. Move the investigation to an approved internal environment instead.