Secrets don't sit in code or logs

Secrets live in env or secret stores — never in source, committed config, or client bundles.

NestJS·Auth & Security·Medium·Since 2026-05-01

nestjs-security-no-secrets-in-code

Why it matters

Failure modes if this rule is ignored

Stake	If ignored
Secret exposure	A leaked secret = a secret leaked to anyone with access to your log platform. Rotation is the only fix. Without an automatic redactor, the moment a log prints a request body, passwords leak.

How to fix

API keys, JWT secrets, DB passwords — only via ConfigService. And never in logs. A logging interceptor strips dangerous values automatically.

Examples

Bad

logger.info({ event: 'login_attempt', body: req.body });
// body contains password

Good

// libs/shared/backend-observability/src/lib/redact.ts
const SENSITIVE = ['password', 'token', 'apiKey', 'secret', 'authorization'];

export function redact(obj: any): any {
  return JSON.parse(JSON.stringify(obj, (key, value) =>
    SENSITIVE.some(s => key.toLowerCase().includes(s)) ? '[REDACTED]' : value
  ));
}

@Injectable()
export class LoggingInterceptor implements NestInterceptor {
  intercept(ctx: ExecutionContext, next: CallHandler) {
    const req = ctx.switchToHttp().getRequest();
    this.log.info({ method: req.method, path: req.path, body: redact(req.body) });
    return next.handle();
  }
}

Contribute

View sourceSuggest editDiscuss